contao/core Insufficient input validation allows for code injection and remote execution

2024-05-1518:31:02

Google

osv.dev

contao

input validation

code injection

remote execution

vulnerability

software

7.9 High

AI Score

Confidence

High

JSON

contao/core versions 2.x prior to 2.11.17 and 3.x prior to 3.2.9 are vulnerable to arbitrary code execution on the server due to insufficient input validation. In fact, attackers can remove or change pathconfig.php by entering a URL, meaning that the entire Contao installation will no longer be accessible or malicious code can be executed.

CPENameOperatorVersion
contao/coreeq3.0.6
contao/coreeq2.11.8
contao/coreeq2.10.1
contao/coreeq2.6.5
contao/coreeq2.11.12
contao/coreeq3.1.RC1
contao/coreeq2.7.6
contao/coreeq3.1.beta1
contao/coreeq3.1.4
contao/coreeq3.0.4

Name	Operator	Version
contao/core	eq	3.0.6
contao/core	eq	2.11.8
contao/core	eq	2.10.1
contao/core	eq	2.6.5
contao/core	eq	2.11.12
contao/core	eq	3.1.RC1
contao/core	eq	2.7.6
contao/core	eq	3.1.beta1
contao/core	eq	3.1.4
contao/core	eq	3.0.4

Rows per page:

1-10 of 841

References

c-c-a.org/aktuelles/news/details/eine-neue-kritische-sicherheitsluecke-in-contao-entdeckt

github.com/contao/core/commit/d45503568751a868193929ef349a49ae5e6686f0

github.com/contao/core/commit/d4a14f167e0cbb2e77c7829299e5b36f55c1ebce

github.com/contao/core/issues/6855

github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/2014-04-07.yaml

web.archive.org/web/20240214121817/https://contao.org/en/news/new-security-hole-found-in-contao

7.9 High

AI Score

Confidence

High

JSON