Lucene search
GoogleOSV:GHSA-X5G4-CRXQ-QXJXHistoryMay 13, 2022 - 1:42 a.m.
Contao Core directory traversal vulnerability
2022-05-1301:42:03
Google
osv.dev
7
A logged in back end user can include arbitrary PHP files by manipulating an URL parameter. Since Contao does not allow to upload PHP files in the file manager, the attack is limited to the existing PHP files on the server.
References
contao.org/en/news/contao-3_5_28.html
contao.org/en/news/contao-4_4_1.html
github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2017-10993.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2017-10993.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/CVE-2017-10993.yaml
nvd.nist.gov/vuln/detail/CVE-2017-10993
Related
friendsofphp
friendsofphp
github
github
Contao Core directory traversal vulnerability
2022-05-13 01:42:03
cvelist
cvelist
CVE-2017-10993
2017-07-21 06:00:00
veracode
veracode
Directory Traversal
2017-07-25 02:58:12
nvd
nvd
CVE-2017-10993
2017-07-21 06:29:00
contao
contao
PHP file inclusion in the back end
2017-07-12 00:00:00
osv
osv
CVE-2017-10993
2017-07-21 06:29:00
cve
cve
CVE-2017-10993
2017-07-21 06:29:00
prion
prion
Directory traversal
2017-07-21 06:29:00