CVE-2021-37626

Contao is an open source CMS that allows you to create websites and scalable web applications. In affected versions it is possible to load PHP files by entering insert tags in the Contao back end. Installations are only affected if they have untrusted back end users who have the rights to modify fields that are shown in the front end. Update to Contao 4.4.56, 4.9.18 or 4.11.7 to resolve. If you cannot update then disable the login for untrusted back end users.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*
cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*
cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*
cpe:2.3:a:contao:contao:4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:contao:contao:4.1.0:*:*:*:*:*:*:*
cpe:2.3:a:contao:contao:4.2.0:*:*:*:*:*:*:*
cpe:2.3:a:contao:contao:4.3.0:*:*:*:*:*:*:*
cpe:2.3:a:contao:contao:4.5.0:*:*:*:*:*:*:*
cpe:2.3:a:contao:contao:4.6.0:*:*:*:*:*:*:*
cpe:2.3:a:contao:contao:4.7.0:*:*:*:*:*:*:*
cpe:2.3:a:contao:contao:4.8.0:*:*:*:*:*:*:*
cpe:2.3:a:contao:contao:4.10.0:*:*:*:*:*:*:*

History

20 Aug 2021, 18:37

Type Values Removed Values Added
CPE cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*
cpe:2.3:a:contao:contao:4.1.0:*:*:*:*:*:*:*
cpe:2.3:a:contao:contao:4.10.0:*:*:*:*:*:*:*
cpe:2.3:a:contao:contao:4.7.0:*:*:*:*:*:*:*
cpe:2.3:a:contao:contao:4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:contao:contao:4.2.0:*:*:*:*:*:*:*
cpe:2.3:a:contao:contao:4.5.0:*:*:*:*:*:*:*
cpe:2.3:a:contao:contao:4.3.0:*:*:*:*:*:*:*
cpe:2.3:a:contao:contao:4.6.0:*:*:*:*:*:*:*
cpe:2.3:a:contao:contao:4.8.0:*:*:*:*:*:*:*
CWE CWE-94
CVSS v2 : unknown
v3 : unknown
v2 : 6.5
v3 : 7.2
References (MISC) https://contao.org/en/security-advisories/php-file-inclusion-via-insert-tags.html - (MISC) https://contao.org/en/security-advisories/php-file-inclusion-via-insert-tags.html - Vendor Advisory
References (CONFIRM) https://github.com/contao/contao/security/advisories/GHSA-r6mv-ppjc-4hgr - (CONFIRM) https://github.com/contao/contao/security/advisories/GHSA-r6mv-ppjc-4hgr - Third Party Advisory

11 Aug 2021, 23:15

Type Values Removed Values Added
New CVE

Information

Published : 2021-08-11 23:15

Updated : 2024-02-04 21:47


NVD link : CVE-2021-37626

Mitre link : CVE-2021-37626

CVE.ORG link : CVE-2021-37626


JSON object : View

Products Affected

contao

  • contao
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')