Directory traversal in the file manager

Date: 2023-04-25
CVE ID: CVE-2023-29200

Authenticated users in the back end can list files outside the document root in the file manager. However, it is not possible to read the contents of these files.

Thanks to Daniel Barros for reporting the problem.

Affected versions

Contao 4.0
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4
Contao 4.5
Contao 4.6
Contao 4.7
Contao 4.8
Contao 4.9 up to 4.9.39
Contao 4.10
Contao 4.11
Contao 4.12
Contao 4.13 up to 4.13.20
Contao 5.0
Contao 5.1 up to 5.1.3

Suggested solution

Upgrade to Contao 4.9.40, 4.13.21 or 5.1.4.

More information

https://github.com/contao/contao/security/advisories/GHSA-fp7q-xhhw-6rj3