Security advisories

Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.

Directory traversal in the file manager

by Leo Feyer

Date: 2023-04-25
CVE ID: CVE-2023-29200

Authenticated users in the back end can list files outside the document root in the file manager. However, it is not possible to read the contents of these files.

Thanks to Daniel Barros for reporting the problem.

Affected versions

Contao 4.0
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4
Contao 4.5
Contao 4.6
Contao 4.7
Contao 4.8
Contao 4.9 up to 4.9.39
Contao 4.10
Contao 4.11
Contao 4.12
Contao 4.13 up to 4.13.20
Contao 5.0
Contao 5.1 up to 5.1.3

Suggested solution

Upgrade to Contao 4.9.40, 4.13.21 or 5.1.4.

More information

https://github.com/contao/contao/security/advisories/GHSA-fp7q-xhhw-6rj3

Show all security advisories