Description

Contao is an open source CMS that allows you to create websites and scalable web applications. In affected versions it is possible to load PHP files by entering insert tags in the Contao back end. Installations are only affected if they have untrusted back end users who have the rights to modify fields that are shown in the front end. Update to Contao 4.4.56, 4.9.18 or 4.11.7 to resolve. If you cannot update then disable the login for untrusted back end users.

Remediation

References

CVE-2021-37626

Related Vulnerabilities

Contao Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2017-16558)

WordPress Plugin Captcha by BestWebSoft Cross-Site Scripting (4.2.9)

Apache Tomcat CVE-2016-5018 Vulnerability (CVE-2016-5018)

Ruby Resource Management Errors Vulnerability (CVE-2008-3443)

Oracle JRE CVE-2019-2989 Vulnerability (CVE-2019-2989)

Severity

High

Classification

CVE-2021-37626 CWE-94 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities