David Wind, penetration tester with A1 Digital, has discovered that the SQL injection vulnerability originally published under CVE-2017-16558 can still be exploited in the file manager in Contao 4.
contao.org/en/news/security-vulnerability-cve-2019-11512.html
github.com/contao/contao/commit/87d92f823b08b91a0aeb522284537c8afcdb8aba
github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2019-11512.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2019-11512.yaml
nvd.nist.gov/vuln/detail/CVE-2019-11512