contao/core versions 2.x prior to 2.11.17 and 3.x prior to 3.2.9 are vulnerable to arbitrary code execution on the server due to insufficient input validation. In fact, attackers can remove or change pathconfig.php by entering a URL, meaning that the entire Contao installation will no longer be accessible or malicious code can be executed.
c-c-a.org/aktuelles/news/details/eine-neue-kritische-sicherheitsluecke-in-contao-entdeckt
github.com/contao/core/commit/d45503568751a868193929ef349a49ae5e6686f0
github.com/contao/core/commit/d4a14f167e0cbb2e77c7829299e5b36f55c1ebce
github.com/contao/core/issues/6855
github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/2014-04-07.yaml
web.archive.org/web/20240214121817/https://contao.org/en/news/new-security-hole-found-in-contao