CVE-2017-16558
published 2019-04-25CVE-2017-16558: Contao 3.0.0 to 3.5.30 and 4.0.0 to 4.4.7 contains an SQL injection vulnerability in the back end as well as in the listing module.
PriorityP347critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
1.18%
63.7th percentile
Contao 3.0.0 to 3.5.30 and 4.0.0 to 4.4.7 contains an SQL injection vulnerability in the back end as well as in the listing module.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| contao | contao | 3.0.0 – 3.5.30 | — |
| contao | contao | >= 4.0.0 < 4.4.8 | 4.4.8 |
| contao | contao | >= 4.1.0 < 4.4.39 | 4.4.39 |
| contao | contao | >= 4.5.0 < 4.7.5 | 4.7.5 |
| contao | contao_cms | 3.0.0 – 3.5.30 | — |
| contao | contao_cms | 4.0.0 – 4.4.7 | — |
| contao | core-bundle | 3.0.0 – 3.5.30 | — |
| contao | core-bundle | >= 4.0.0 < 4.4.8 | 4.4.8 |
| contao | core-bundle | >= 4.1.0 < 4.4.39 | 4.4.39 |
| contao | core-bundle | >= 4.5.0 < 4.7.5 | 4.7.5 |
| contao | listing-bundle | 3.0.0 – 3.5.30 | — |
| contao | listing-bundle | >= 4.0.0 < 4.4.8 | 4.4.8 |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Contao SQL injection in the file manager
osv·2022-05-24·CVSS 9.8
CVE-2019-11512 [CRITICAL] Contao SQL injection in the file manager
Contao SQL injection in the file manager
David Wind, penetration tester with A1 Digital, has discovered that the SQL injection vulnerability originally published under CVE-2017-16558 can still be exploited in the file manager in Contao 4.
OSV
Contao SQL injection in the backend and listing module
osv·2022-05-24
CVE-2017-16558 [CRITICAL] Contao SQL injection in the backend and listing module
Contao SQL injection in the backend and listing module
Contao 3.0.0 to 3.5.30 and 4.0.0 to 4.4.7 contains an SQL injection vulnerability in the backend as well as in the listing module.
GHSA
Contao SQL injection in the file manager
ghsa·2022-05-24·CVSS 9.8
CVE-2019-11512 [CRITICAL] CWE-89 Contao SQL injection in the file manager
Contao SQL injection in the file manager
David Wind, penetration tester with A1 Digital, has discovered that the SQL injection vulnerability originally published under CVE-2017-16558 can still be exploited in the file manager in Contao 4.
GHSA
Contao SQL injection in the backend and listing module
ghsa·2022-05-24
CVE-2017-16558 [CRITICAL] CWE-89 Contao SQL injection in the backend and listing module
Contao SQL injection in the backend and listing module
Contao 3.0.0 to 3.5.30 and 4.0.0 to 4.4.7 contains an SQL injection vulnerability in the backend as well as in the listing module.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2019-04-25
Published