PT-2023-22197 · Contao · Contao
Leofeyer
·
Publicado
2023-04-25
·
Atualizado
2025-01-02
·
CVE-2023-29200
CVSS v3.1
8.8
Alta
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Contao versions prior to 4.9.40
Contao versions prior to 4.13.21
Contao versions prior to 5.1.4
Description
Contao is an open source content management system. Prior to versions 4.9.40, 4.13.21, and 5.1.4, logged in users can list arbitrary system files in the file manager by manipulating the Ajax request. However, it is not possible to read the contents of these files.
Recommendations
Update to Contao 4.9.40 to receive a patch.
Update to Contao 4.13.21 to receive a patch.
Update to Contao 5.1.4 to receive a patch.
As a temporary workaround, consider restricting access to the file manager for logged-in users until a patch is applied.
Exploit
Correção
Path traversal
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Contao