Описание
Contao applies improper access control in the back end voters
Impact
The table access voter in the back end doesn't check if a user is allowed to access the corresponding module.
Patches
Update to Contao 5.3.38 or 5.6.1.
Workarounds
Do not rely solely on the voter and additionally check USER_CAN_ACCESS_MODULE.
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
Пакеты
contao/core-bundle
>= 5.0.0, < 5.3.38
5.3.38
contao/core-bundle
>= 5.4.0-RC1, < 5.6.1
5.6.1
contao/contao
>= 5.0.0, < 5.3.38
5.3.38
contao/contao
>= 5.4.0-RC1, < 5.6.1
5.6.1
Связанные уязвимости
Contao is an Open Source CMS. In versions starting from 5.0.0 and prior to 5.3.38 and 5.6.1, the table access voter in the back end doesn't check if a user is allowed to access the corresponding module. This issue has been patched in versions 5.3.38 and 5.6.1. A workaround involves not relying solely on the voter and additionally to check USER_CAN_ACCESS_MODULE.