CVE-2019-19745

Contao 4.0 through 4.8.5 allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
contaocontao
4.4 ≤
𝑥
≤ 4.4.45
contaocontao
4.8 ≤
𝑥
≤ 4.8.5
contaocontao
4.0
contaocontao
4.1
contaocontao
4.2
contaocontao
4.3
contaocontao
4.5
contaocontao
4.6
contaocontao
4.7
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://contao.org/en/news.html
https://contao.org/en/security-advisories/unrestricted-file-uploads.html
https://contao.org/en/news.html
https://contao.org/en/security-advisories/unrestricted-file-uploads.html