Contao Core directory traversal vulnerability
High severity
GitHub Reviewed
Published
May 13, 2022
to the GitHub Advisory Database
•
Updated Apr 25, 2024
Description
Published by the National Vulnerability Database
Jul 21, 2017
Published to the GitHub Advisory Database
May 13, 2022
Reviewed
Apr 25, 2024
Last updated
Apr 25, 2024
A logged in back end user can include arbitrary PHP files by manipulating an URL parameter. Since Contao does not allow to upload PHP files in the file manager, the attack is limited to the existing PHP files on the server.
References