CVE-2025-57758

Published: Aug 28, 2025Modified: Sep 2, 2025

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: security-advisories@github.com (Secondary)

Description

Contao is an Open Source CMS. In versions starting from 5.0.0 and prior to 5.3.38 and 5.6.1, the table access voter in the back end doesn't check if a user is allowed to access the corresponding module. This issue has been patched in versions 5.3.38 and 5.6.1. A workaround involves not relying solely on the voter and additionally to check USER_CAN_ACCESS_MODULE.

Affected (2)

Products: Contao: Contao

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Contao Contao	From 5.3.0 to 5.3.38
Contao Contao	From 5.4.0 to 5.6.1

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (3)

https://contao.org/en/security-advisories/improper-access-control-in-the-back-end-voters

Source: security-advisories@github.com

Vendor Advisory

https://github.com/contao/contao/commit/3f05c603e1c94d34819f837f060df5d66447d0d7

Source: security-advisories@github.com

Patch

https://github.com/contao/contao/security/advisories/GHSA-7m47-r75r-cx8v

Source: security-advisories@github.com

Third Party Advisory

Timeline

No history available yet.