CVE-2024-45398 — Unrestricted File Upload in Contao

CWE-434 — Unrestricted File Upload4 documents4 sources

Severity

8.8HIGHNVD

CNA8.3

EPSS

0.2%

top 56.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Contao Contao Core-bundle

Timeline

PublishedSep 17

Description

Contao is an Open Source CMS. In affected versions a back end user with access to the file manager can upload malicious files and execute them on the server. Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to update are advised to configure their web server so it does not execute PHP files and other scripts in the Contao file upload directory.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDcontao/contao4.0.0 — 4.13.49+2

▶Packagistcontao/core-bundle4.0.0 — 4.13.49+2

▶CVEListV5contao/contao>= 5.0.0, < 5.3.15, >= 5.4.0, < 5.4.3, >=4.0.0, < 4.13.49+2

🔴Vulnerability Details

CVEList

Remote command execution through file upload in contao/core-bundle↗2024-09-17

▶

OSV

Contao affected by remote command execution through file upload↗2024-09-17

▶

GHSA

Contao affected by remote command execution through file upload↗2024-09-17

▶