Description

Contao is an Open Source CMS. In versions starting from 5.0.0 and prior to 5.3.38 and 5.6.1, the table access voter in the back end doesn't check if a user is allowed to access the corresponding module. This issue has been patched in versions 5.3.38 and 5.6.1. A workaround involves not relying solely on the voter and additionally to check USER_CAN_ACCESS_MODULE.

Remediation

References

CVE-2025-57758

Related Vulnerabilities

WebLogic CVE-2020-14589 Vulnerability (CVE-2020-14589)

Atlassian Confluence Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2017-16856)

WordPress Plugin HDInvoice-Create Invoices Arbitrary File Upload (0.1)

IBM RTC Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2014-3050)

WordPress Plugin Gallery-Video Gallery and Youtube Gallery SQL Injection (2.0.9)

Severity

Medium

Classification

CVE-2025-57758 CWE-284 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Tags

Missing Update Known Vulnerabilities