Contao orgCONTAO:PRIVILEGE-ESCALATION-WITH-THE-FORM-GENERATORPrivilege escalation with the form generator
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
42.8%
Date: 2021-08-11 CVE ID: CVE-2021-37627
Description
It is possible for untrusted users to gain administrator rights with the form generator.
Installations are only affected if there are untrusted back end users with access to the form generator.
Affected versions
Contao 4.0
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4 up to 4.4.55
Contao 4.5
Contao 4.6
Contao 4.7
Contao 4.8
Contao 4.9 up to 4.9.17
Contao 4.10
Contao 4.11 up to 4.11.6
Suggested solution
Update to Contao 4.4.56, 4.9.18 or 4.11.7.
Workaround
Disable the form generator or disable the login for untrusted back end users.
More information
<https://github.com/contao/contao/security/advisories/GHSA-hq5m-mqmx-fw6m>
Related
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
42.8%