Arbitrary File Inclusion

Affecting contao/core package, versions >=3.0.0, <3.5.28 || >=4.0.0, <4.4.1

Do your applications use this vulnerable package? Test your applications

Overview

Affected versions of contao/core are vulnerable to Arbitrary File Inclusion .A logged in back end user can include arbitrary PHP files by manipulating an URL parameter. Since Contao does not allow to upload PHP files in the file manager, the attack is limited to the existing PHP files on the server.

Remediation

Upgrade contao/core to version 3.5.28 or higher.

References

CVSS Score

8.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Credit
Unknown
CVE
CVE-2017-10993
CWE
CWE-829
Snyk ID
SNYK-PHP-CONTAOCORE-70019
Disclosed
12 Jul, 2017
Published
12 Jul, 2017