Contao news
Read the official Contao announcements.
Contao 2.11.14 is available
by Leo Feyer – Announcements
Contao version 2.11.14 is available. The bugfix release fixes a potential PHP object injection vulnerability (thanks to Pedro Ribeiro).
The vulnerability exists, because POST data is passed to the deserialize()
function, which was the case in the core multiple times. However, we were not able to exploit the vulnerability if the POST data was accessed via the Contao Input
class. This does not mean that it cannot be accomplished though.
We recommend the extension developers to review their code and clean the deserialize()
calls with POST data. We highly recommend the users to upgrade to Contao 2.11.14.
Also see: GitHub compare view | Contao changelog | Release overview
Comments
Add a comment