PT-2019-11959 · Contao · Contao

Ali Razzaq

·

Published

2019-04-17

·

Updated

2022-05-13

·

CVE-2019-10643

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Contao version 4.7
Description The issue allows the use of a key past its expiration date. A security researcher discovered that confirming an opt-in token does not invalidate previous opt-in tokens.
Recommendations For Contao version 4.7, update the opt-in token validation process to invalidate previous tokens upon confirmation of a new token. As a temporary workaround, consider implementing additional validation checks to ensure that expired keys are not used.

Exploit

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-324

Related Identifiers

CVE-2019-10643
GHSA-J99G-QJVX-995G

Affected Products

Contao