Contao news

Read the official Contao announcements.

Contao 3.5.28 is available

2017-07-12 10:11 by Leo Feyer – Announcements

Contao version 3.5.28 is available. The bugfix release fixes an arbitrary PHP file inclusion vulnerability in the back end.

CVE-2017-10993

A logged in back end user can include arbitrary PHP files by manipulating an URL parameter. Since Contao does not allow to upload PHP files in the file manager, the attack is limited to the existing PHP files on the server.

The issue affects Contao 3.0.0 to 3.5.27 and Contao 4.0.0 to 4.4.0.

Although we do not consider the vulnerability to be critical, we strongly recommend to update to either Contao 3.5.28 or Contao 4.4.1.

Also see: GitHub tickets | GitHub compare view | Contao changelog | Release overview

Show all news

Comments

Add a comment

News archive

2024 – 3 entries
2023 – 6 entries
2022 – 7 entries
2021 – 18 entries
2020 – 14 entries
2019 – 13 entries
2018 – 27 entries
2017 – 38 entries
2016 – 28 entries
2015 – 29 entries
2014 – 33 entries
2013 – 30 entries
2012 – 33 entries
2011 – 18 entries
2010 – 18 entries
2009 – 24 entries
2008 – 22 entries
2007 – 23 entries
2006 – 11 entries

RSS feed
Twitter
See all options