Описание
Information disclosure in the Contao backend
Impact
Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them.
Patches
Update to Contao 4.4.46 or 4.8.6.
Workarounds
None.
References
https://contao.org/en/security-advisories/information-disclosure-in-the-back-end
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
Ссылки
- https://github.com/contao/contao/security/advisories/GHSA-4mvc-qc5w-v5qr
- https://nvd.nist.gov/vuln/detail/CVE-2019-19712
- https://contao.org/en/news.html
- https://contao.org/en/security-advisories/information-disclosure-in-the-back-end.html
- https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2019-19712.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2019-19712.yaml
Пакеты
Наименование
contao/core-bundle
composer
Затронутые версииВерсия исправления
>= 4.0.0, < 4.4.46
4.4.46
Наименование
contao/core-bundle
composer
Затронутые версииВерсия исправления
>= 4.5.0, < 4.8.6
4.8.6
Наименование
contao/contao
composer
Затронутые версииВерсия исправления
>= 4.0.0, < 4.4.46
4.4.46
Наименование
contao/contao
composer
Затронутые версииВерсия исправления
>= 4.5.0, < 4.8.6
4.8.6
Связанные уязвимости
CVSS3: 5.3
nvd
около 6 лет назад
Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them.