CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
20.0%
Back end users with access to the file manager can upload malicious files and execute them on the server.
Update to Contao 4.13.49, 5.3.15 or 5.4.3.
Configure your web server so it does not execute PHP files and other scripts in the Contao file upload directory.
https://contao.org/en/security-advisories/remote-command-execution-through-file-uploads
If you have any questions or comments about this advisory, open an issue in contao/contao.
Thanks to Jakob Steeg from usd AG for reporting this vulnerability.
contao.org/en/security-advisories/remote-command-execution-through-file-uploads
github.com/contao/contao
github.com/contao/contao/commit/9445d509f12a7f1b68a4794dcc5e3e459b363ebb
github.com/contao/contao/commit/a7e39f96ac8fdc281f7caaa96e01deb0e24ac7d3
github.com/contao/contao/commit/f3db59ffe5a6c0e1f705b3230ebd5ff16865280e
github.com/contao/contao/security/advisories/GHSA-vm6r-j788-hjh5
nvd.nist.gov/vuln/detail/CVE-2024-45398
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
20.0%