CVE-2024-45398 Remote command execution through file upload in contao/core-bundle

2024-09-1719:56:00

CWE-434

GitHub_M

www.cve.org

cve-2024-45398

remote command execution

file upload vulnerability

contao/core-bundle

open source cms

malicious file upload

server security

update advisory

web server configuration

CVSS3

8.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

EPSS

0.001

Percentile

20.0%

JSON

Contao is an Open Source CMS. In affected versions a back end user with access to the file manager can upload malicious files and execute them on the server. Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to update are advised to configure their web server so it does not execute PHP files and other scripts in the Contao file upload directory.

CNA Affected

[
  {
    "vendor": "contao",
    "product": "contao",
    "versions": [
      {
        "version": ">=4.0.0, < 4.13.49",
        "status": "affected"
      },
      {
        "version": ">= 5.0.0, < 5.3.15",
        "status": "affected"
      },
      {
        "version": ">= 5.4.0, < 5.4.3",
        "status": "affected"
      }
    ]
  }
]