SQL Injection

Affecting contao/core package, versions >=3.0.0, <3.5.31

Do your applications use this vulnerable package? Test your applications

Overview

Affected versions of contao/core are vulnerable to SQL Injection.

Both the search filter in the back end and the "listing" module in the front end are vulnerable. To exploit the vulnerability in the back end, a back end user has to be logged in, whereas the front end vulnerability can be exploited by anyone.

Remediation

Upgrade contao/core to version 3.5.31 or higher.

References

CVSS Score

6.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Credit
Unknown
CVE
CVE-2017-16558
CWE
CWE-89
Snyk ID
SNYK-PHP-CONTAOCORE-70373
Disclosed
15 Nov, 2017
Published
04 Dec, 2017