Lucene search

GitHub_MCVE-2021-37627

HistoryAug 11, 2021 - 11:15 p.m.

CVE-2021-37627

2021-08-1123:15:07

CWE-269

GitHub_M

web.nvd.nist.gov

contao

cms

privilege escalation

form generator

security advisory

update

cve-2021-37627

nvd

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

42.8%

JSON

Contao is an open source CMS that allows creation of websites and scalable web applications. In affected versions it is possible to gain privileged rights in the Contao back end. Installations are only affected if they have untrusted back end users who have access to the form generator. All users are advised to update to Contao 4.4.56, 4.9.18 or 4.11.7. As a workaround users may disable the form generator or disable the login for untrusted back end users.

Affected configurations

Nvd

Vulners

Node

contaocontaoRange4.4.0–4.4.56

contaocontaoRange4.9.0–4.9.18

contaocontaoRange4.11.0–4.11.7

contaocontaoMatch4.0.0

contaocontaoMatch4.1.0

contaocontaoMatch4.2.0

contaocontaoMatch4.3.0

contaocontaoMatch4.5.0

contaocontaoMatch4.6.0

contaocontaoMatch4.7.0

contaocontaoMatch4.8.0

contaocontaoMatch4.10.0

VendorProductVersionCPE
contaocontao*cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*
contaocontao4.0.0cpe:2.3:a:contao:contao:4.0.0:*:*:*:*:*:*:*
contaocontao4.1.0cpe:2.3:a:contao:contao:4.1.0:*:*:*:*:*:*:*
contaocontao4.2.0cpe:2.3:a:contao:contao:4.2.0:*:*:*:*:*:*:*
contaocontao4.3.0cpe:2.3:a:contao:contao:4.3.0:*:*:*:*:*:*:*
contaocontao4.5.0cpe:2.3:a:contao:contao:4.5.0:*:*:*:*:*:*:*
contaocontao4.6.0cpe:2.3:a:contao:contao:4.6.0:*:*:*:*:*:*:*
contaocontao4.7.0cpe:2.3:a:contao:contao:4.7.0:*:*:*:*:*:*:*
contaocontao4.8.0cpe:2.3:a:contao:contao:4.8.0:*:*:*:*:*:*:*
contaocontao4.10.0cpe:2.3:a:contao:contao:4.10.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
contao	contao	*	cpe:2.3:a:contao:contao::::::::
contao	contao	4.0.0	cpe:2.3:a:contao:contao:4.0.0:::::::*
contao	contao	4.1.0	cpe:2.3:a:contao:contao:4.1.0:::::::*
contao	contao	4.2.0	cpe:2.3:a:contao:contao:4.2.0:::::::*
contao	contao	4.3.0	cpe:2.3:a:contao:contao:4.3.0:::::::*
contao	contao	4.5.0	cpe:2.3:a:contao:contao:4.5.0:::::::*
contao	contao	4.6.0	cpe:2.3:a:contao:contao:4.6.0:::::::*
contao	contao	4.7.0	cpe:2.3:a:contao:contao:4.7.0:::::::*
contao	contao	4.8.0	cpe:2.3:a:contao:contao:4.8.0:::::::*
contao	contao	4.10.0	cpe:2.3:a:contao:contao:4.10.0:::::::*

CNA Affected

[
  {
    "product": "contao",
    "vendor": "contao",
    "versions": [
      {
        "status": "affected",
        "version": "< 4.4.56"
      },
      {
        "status": "affected",
        "version": ">= 4.5.0, < 4.9.18"
      },
      {
        "status": "affected",
        "version": ">= 4.10.0, < 4.11.7"
      }
    ]
  }
]

References

contao.org/en/security-advisories/privilege-escalation-with-the-form-generator.html

github.com/contao/contao/security/advisories/GHSA-hq5m-mqmx-fw6m

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

42.8%

JSON

Related for CVE-2021-37627