CVE-2019-19745 — Unrestricted File Upload in Contao

CWE-434 — Unrestricted File Upload4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.5%

top 36.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Contao Contao Core-bundle

Timeline

PublishedDec 17

Description

Contao 4.0 through 4.8.5 allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶Packagistcontao/contao4.0.0 — 4.4.46+1

▶Packagistcontao/core-bundle4.0.0 — 4.4.46+1

▶NVDcontao/contao4.4 — 4.4.45+8

🔴Vulnerability Details

CVEList

CVE-2019-19745: Contao 4↗2019-12-17

▶

OSV

Unrestricted file uploads in Contao↗2019-12-17

▶

GHSA

Unrestricted file uploads in Contao↗2019-12-17

▶