Contao is an Open Source CMS. In affected versions a back end user with access to the file manager can upload malicious files and execute them on the server. Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to update are advised to configure their web server so it does not execute PHP files and other scripts in the Contao file upload directory.
References
Link | Resource |
---|---|
https://contao.org/en/security-advisories/remote-command-execution-through-file-uploads | Vendor Advisory |
https://github.com/contao/contao/security/advisories/GHSA-vm6r-j788-hjh5 | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
25 Sep 2024, 19:20
Type | Values Removed | Values Added |
---|---|---|
First Time |
Contao contao
Contao |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
References | () https://contao.org/en/security-advisories/remote-command-execution-through-file-uploads - Vendor Advisory | |
References | () https://github.com/contao/contao/security/advisories/GHSA-vm6r-j788-hjh5 - Third Party Advisory | |
CPE | cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:* |
20 Sep 2024, 12:30
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
17 Sep 2024, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-09-17 20:15
Updated : 2024-09-25 19:20
NVD link : CVE-2024-45398
Mitre link : CVE-2024-45398
CVE.ORG link : CVE-2024-45398
JSON object : View
Products Affected
contao
- contao
CWE
CWE-434
Unrestricted Upload of File with Dangerous Type