by Leo Feyer
SQL injection in the file manager
Date: 2019-04-30
CVE ID: CVE-2019-11512
Description
David Wind, penetration tester with A1 Digital, has discovered that the SQL injection vulnerability originally published under CVE-2017-16558 can still be exploited in the file manager in Contao 4. The security vulnerability has the identifier CVE-2019-11512.
Affected versions
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4 up to 4.4.38
Contao 4.5
Contao 4.6
Contao 4.7 up to 4.7.4
Suggested solution
Update to Contao 4.4.39 or 4.7.5.