CVE-2024-45398

Published: Sep 17, 2024Modified: Sep 25, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Contao is an Open Source CMS. In affected versions a back end user with access to the file manager can upload malicious files and execute them on the server. Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to update are advised to configure their web server so it does not execute PHP files and other scripts in the Contao file upload directory.

Affected (3)

Products: Contao: Contao

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Contao Contao	From 4.0.0 to 4.13.49
Contao Contao	From 5.0.0 to 5.3.15
Contao Contao	From 5.4.0 to 5.4.3

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (2)

https://contao.org/en/security-advisories/remote-command-execution-through-file-uploads

Source: security-advisories@github.com

Vendor Advisory

https://github.com/contao/contao/security/advisories/GHSA-vm6r-j788-hjh5

Source: security-advisories@github.com

Third Party Advisory

Timeline

No history available yet.