CVE-2017-10993

Name of the Vulnerable Software and Affected Versions Contao versions prior to 3.5.28 Contao versions 4.x prior to 4.4.1

Description The issue allows remote attackers to include and execute arbitrary local PHP files via a crafted parameter in a URL. This can be exploited by a logged-in back-end user who manipulates a URL parameter to include arbitrary PHP files. The attack is limited to existing PHP files on the server, as Contao does not allow uploading PHP files through its file manager.

Recommendations For Contao versions prior to 3.5.28, update to version 3.5.28 or later. For Contao versions 4.x prior to 4.4.1, update to version 4.4.1 or later. As a temporary workaround, consider restricting access to sensitive PHP files and limiting the ability of back-end users to manipulate URL parameters until a patch is applied.