SB2019121729 - Multiple vulnerabilities in Contao

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Arbitrary file upload (CVE-ID: CVE-2019-19745)

The vulnerability allows a remote authenticated user to execute arbitrary code.

Contao 4.0 through 4.8.5 allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server.

2) Incorrect default permissions (CVE-ID: CVE-2019-19712)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them.

Remediation

Install update from vendor's website.

References

• https://contao.org/en/news.html
• https://contao.org/en/security-advisories/unrestricted-file-uploads.html
• https://contao.org/en/security-advisories/information-disclosure-in-the-back-end.html