SQL Injection Affecting contao/core-bundle package, versions >=3.0.0, <3.5.30 >=4.0.0, <4.4.8
Snyk CVSS
Attack Complexity
Low
Threat Intelligence
EPSS
0.15% (51st
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-CONTAOCOREBUNDLE-70372
- published 4 Dec 2017
- disclosed 15 Nov 2017
- credit Unknown
Introduced: 15 Nov 2017
CVE-2017-16558 Open this link in a new tabHow to fix?
Upgrade contao/core-bundle
to versions 3.5.30, 4.4.8 or higher.
Overview
Affected versions of contao/core-bundle
are vulnerable to SQL Injection
Both the search filter in the back end and the "listing" module in the front end are vulnerable. To exploit the vulnerability in the back end, a back end user has to be logged in, whereas the front end vulnerability can be exploited by anyone.