Contao news

Read the official Contao announcements.

Contao 3.2.5 is available

by Leo Feyer – Announcements

Contao version 3.2.5 is available. The bugfix release fixes a potential PHP object injection vulnerability (thanks to Pedro Ribeiro).

The vulnerability exists, because POST data is passed to the deserialize() function, which was the case in the core multiple times. However, we were not able to exploit the vulnerability if the POST data was accessed via the Contao Input class. This does not mean that it cannot be accomplished though.

We recommend the extension developers to review their code and clean the deserialize() calls with POST data. We highly recommend the users to upgrade to Contao 3.2.5.

Also see: GitHub tickets | GitHub compare view | Contao changelog | Release overview

Show all news


Add a comment

Please calculate 3 plus 1.