contao/core Insufficient input validation allows for code injection and remote execution

2024-05-1518:31:02

GitHub Advisory Database

github.com

contao

core

input validation

code injection

remote execution

vulnerability

software

7.9 High

AI Score

Confidence

High

JSON

contao/core versions 2.x prior to 2.11.17 and 3.x prior to 3.2.9 are vulnerable to arbitrary code execution on the server due to insufficient input validation. In fact, attackers can remove or change pathconfig.php by entering a URL, meaning that the entire Contao installation will no longer be accessible or malicious code can be executed.

Affected configurations

Vulners

Node

contaocontaoRange<3.2.9

contaocontaoRange<2.11.17

CPENameOperatorVersion
contao/corelt3.2.9
contao/corelt2.11.17

CPE	Name	Operator	Version
	contao/core	lt	3.2.9
	contao/core	lt	2.11.17

References

c-c-a.org/aktuelles/news/details/eine-neue-kritische-sicherheitsluecke-in-contao-entdeckt

github.com/advisories/GHSA-wxxw-5gq6-j2g5

github.com/contao/core/commit/d45503568751a868193929ef349a49ae5e6686f0

github.com/contao/core/commit/d4a14f167e0cbb2e77c7829299e5b36f55c1ebce

github.com/contao/core/issues/6855

github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/2014-04-07.yaml

web.archive.org/web/20240214121817/https://contao.org/en/news/new-security-hole-found-in-contao

7.9 High

AI Score

Confidence

High

JSON