6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
45.7%
Date: 2023-04-25 CVE ID: CVE-2023-29200
Authenticated users in the back end can list files outside the document root in the file manager. However, it is not possible to read the contents of these files.
Thanks to Daniel Barros for reporting the problem.
Affected versions
Contao 4.0
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4
Contao 4.5
Contao 4.6
Contao 4.7
Contao 4.8
Contao 4.9 up to 4.9.39
Contao 4.10
Contao 4.11
Contao 4.12
Contao 4.13 up to 4.13.20
Contao 5.0
Contao 5.1 up to 5.1.3
Suggested solution
Upgrade to Contao 4.9.40, 4.13.21 or 5.1.4.
More information
<https://github.com/contao/contao/security/advisories/GHSA-fp7q-xhhw-6rj3>
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
45.7%