PT-2023-22197 · Contao · Contao
Leofeyer
·
Published
2023-04-25
·
Updated
2025-01-02
·
CVE-2023-29200
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Contao versions prior to 4.9.40
Contao versions prior to 4.13.21
Contao versions prior to 5.1.4
Description
Contao is an open source content management system. Prior to versions 4.9.40, 4.13.21, and 5.1.4, logged in users can list arbitrary system files in the file manager by manipulating the Ajax request. However, it is not possible to read the contents of these files.
Recommendations
Update to Contao 4.9.40 to receive a patch.
Update to Contao 4.13.21 to receive a patch.
Update to Contao 5.1.4 to receive a patch.
As a temporary workaround, consider restricting access to the file manager for logged-in users until a patch is applied.
Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Contao