CVE-2017-10993: PHP file inclusion vulnerability in the back end

July 21, 2017 (updated October 2, 2019)

A logged in back end user can include arbitrary PHP files by manipulating an URL parameter. Since Contao does not allow to upload PHP files in the file manager, the attack is limited to the existing PHP files on the server.

References

contao.org/en/news/contao-4_4_1.html
github.com/contao/core-bundle/commit/2a85914f4ba858780ffbac38a468acb7028772c7

Code Behaviors & Features

Detect and mitigate CVE-2017-10993 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →