Описание
contao/core Insufficient input validation allows for code injection and remote execution
contao/core versions 2.x prior to 2.11.17 and 3.x prior to 3.2.9 are vulnerable to arbitrary code execution on the server due to insufficient input validation. In fact, attackers can remove or change pathconfig.php by entering a URL, meaning that the entire Contao installation will no longer be accessible or malicious code can be executed.
Ссылки
- https://github.com/contao/core/issues/6855
- https://github.com/contao/core/commit/d45503568751a868193929ef349a49ae5e6686f0
- https://github.com/contao/core/commit/d4a14f167e0cbb2e77c7829299e5b36f55c1ebce
- https://c-c-a.org/aktuelles/news/details/eine-neue-kritische-sicherheitsluecke-in-contao-entdeckt
- https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/2014-04-07.yaml
- https://web.archive.org/web/20240214121817/https://contao.org/en/news/new-security-hole-found-in-contao
Пакеты
Наименование
contao/core
composer
Затронутые версииВерсия исправления
>= 2.0.0, < 2.11.17
2.11.17
Наименование
contao/core
composer
Затронутые версииВерсия исправления
>= 3.0.0, < 3.2.9
3.2.9
9 Critical
CVSS3
9 Critical
CVSS3