Security advisories
Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.
Directory traversal in the file manager
by Leo Feyer
Date: 2023-04-25
CVE ID: CVE-2023-29200
Authenticated users in the back end can list files outside the document root in the file manager. However, it is not possible to read the contents of these files.
Thanks to Daniel Barros for reporting the problem.
Affected versions
Contao 4.0
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4
Contao 4.5
Contao 4.6
Contao 4.7
Contao 4.8
Contao 4.9 up to 4.9.39
Contao 4.10
Contao 4.11
Contao 4.12
Contao 4.13 up to 4.13.20
Contao 5.0
Contao 5.1 up to 5.1.3
Suggested solution
Upgrade to Contao 4.9.40, 4.13.21 or 5.1.4.
More information
https://github.com/contao/contao/security/advisories/GHSA-fp7q-xhhw-6rj3