PT-2019-15943 · Contao · Contao

Leo Feyer

Published

2019-12-17

Updated

2019-12-18

CVE-2019-19745

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Contao versions 4.0 through 4.8.5

Description The issue allows a back end user with access to the form generator to upload arbitrary files and execute them on the server, enabling PHP local file inclusion. This can be exploited by a user with access to the form generator.

Recommendations Update to Contao 4.4.46 or 4.8.6. As a temporary workaround, configure your web server so it does not execute PHP files and other scripts in the Contao file upload directory.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2019-19745

GHSA-WJX8-CGRM-HH8P

Affected Products

Contao

PT-2019-15943 · Contao · Contao

CVE-2019-19745

Weakness Enumeration

Related Identifiers

Affected Products

References · 10