by Leo Feyer

PHP file inclusion via insert tags

Date: 2021-08-11
CVE ID: CVE-2021-37626

Description

It is possible for untrusted users to load arbitrary PHP files via insert tags.

Installations are only affected if there are untrusted back end users.

Affected versions

Contao 4.0
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4 up to 4.4.55
Contao 4.5
Contao 4.6
Contao 4.7
Contao 4.8
Contao 4.9 up to 4.9.17
Contao 4.10
Contao 4.11 up to 4.11.6

Suggested solution

Update to Contao 4.4.56, 4.9.18 or 4.11.7.

Workaround

Disable the login for untrusted back end users.

More information

https://github.com/contao/contao/security/advisories/GHSA-r6mv-ppjc-4hgr