CVE-2017-10993 — Path Traversal in Contao

CWE-22 — Path Traversal4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.8%

top 25.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Contao Contao Core Contao Core-bundle +1 more

Timeline

PublishedJul 21

Latest updateMay 13

Description

Contao before 3.5.28 and 4.x before 4.4.1 allows remote attackers to include and execute arbitrary local PHP files via a crafted parameter in a URL, aka Directory Traversal.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶Packagistcontao/core3.0.0 — 3.5.28

▶Packagistcontao/contao4.0.0 — 4.4.1

▶Packagistcontao/core-bundle4.0.0 — 4.4.1

▶NVDcontao/contao_cms3.5.27+27

🔴Vulnerability Details

GHSA

Contao Core directory traversal vulnerability↗2022-05-13

▶

OSV

Contao Core directory traversal vulnerability↗2022-05-13

▶

CVEList

CVE-2017-10993: Contao before 3↗2017-07-21

▶