Description
Contao 4.0 through 4.8.5 allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server.
Remediation
References
Related Vulnerabilities
Oracle Database Server Other Vulnerability (CVE-2002-0843)
WordPress Plugin WooCommerce Security Bypass (2.1.7)
Drupal Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2012-0825)
WordPress Plugin ArcadePress 'upload.php' Arbitrary File Upload (0.65)
WordPress Plugin SEO Smart Links Cross-Site Scripting (3.0.1)