Contao news

Unfortunately, there is now an exploit for the potential PHP object injection vulnerability, which we have prophylactically fixed with the latest updates to Contao 3.2.5 and 2.11.14.

The security hole can be used to execute arbitraray PHP code on the server and must therefore be classified as major vulnerability. It is highly recommended to update to the latest Contao version, either 3.2.5 or 2.11.14!

If you cannot update your Contao installation on short notice, you should apply the changes of the commit d67c46c1 by all means. The extension developers are to check their extensions, so no user input is passed to the deserialize() function.