by Leo Feyer

SQL injection in the file manager

Date: 2019-04-30
CVE ID: CVE-2019-11512

Description

David Wind, penetration tester with A1 Digital, has discovered that the SQL injection vulnerability originally published under CVE-2017-16558 can still be exploited in the file manager in Contao 4. The security vulnerability has the identifier CVE-2019-11512.

Affected versions

Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4 up to 4.4.38
Contao 4.5
Contao 4.6
Contao 4.7 up to 4.7.4

Suggested solution

Update to Contao 4.4.39 or 4.7.5.