CVE-2019-19745: Malicious File Upload
First published: Tue Dec 17 2019(Updated: )
### Impact A back end user with access to the form generator can upload arbitrary files and execute them on the server. ### Patches Update to Contao 4.4.46 or 4.8.6. ### Workarounds Configure your web server so it does not execute PHP files and other scripts in the Contao file upload directory. ### References https://contao.org/en/security-advisories/unrestricted-file-uploads ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/contao/contao | >=4.0.0<4.4.46>=4.5.0<4.6.0>=4.6.0<4.7.0>=4.7.0<4.8.0>=4.8.0<4.8.6 | |
| composer/contao/core-bundle | >=4.0.0<4.4.46>=4.5.0<4.6.0>=4.6.0<4.7.0>=4.7.0<4.8.0>=4.8.0<4.8.6 | |
| Contao Contao | >=4.4<=4.4.45 | |
| Contao Contao | >=4.8<=4.8.5 | |
| Contao Contao | =4.0 | |
| Contao Contao | =4.1 | |
| Contao Contao | =4.2 | |
| Contao Contao | =4.3 | |
| Contao Contao | =4.5 | |
| Contao Contao | =4.6 | |
| Contao Contao | =4.7 | |
| composer/contao/contao | >=4.5.0<4.8.6 | 4.8.6 |
| composer/contao/contao | >=4.0.0<4.4.46 | 4.4.46 |
| composer/contao/core-bundle | >=4.5.0<4.8.6 | 4.8.6 |
| composer/contao/core-bundle | >=4.0.0<4.4.46 | 4.4.46 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://contao.org/en/security-advisories/unrestricted-file-uploads.html
- https://contao.org/en/news.html
- https://github.com/contao/contao/security/advisories/GHSA-wjx8-cgrm-hh8p
- https://nvd.nist.gov/vuln/detail/CVE-2019-19745
- https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2019-19745.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2019-19745.yaml
- https://github.com/advisories/GHSA-wjx8-cgrm-hh8p (Advisory)
Frequently Asked Questions
What is CVE-2019-19745?
CVE-2019-19745 is a vulnerability that allows attackers to upload files without proper validation, leading to potential remote code execution.
How does the unrestricted file uploads vulnerability work?
The unrestricted file uploads vulnerability allows attackers to bypass file upload restrictions and upload malicious files to the server.
Which software versions are affected by CVE-2019-19745?
The affected software versions include Contao versions 4.0.0 to 4.4.46, 4.5.0 to 4.6.0, 4.6.0 to 4.7.0, 4.7.0 to 4.8.0, and 4.8.0 to 4.8.6.
What is the severity of CVE-2019-19745?
CVE-2019-19745 is considered a high severity vulnerability.
How can I fix CVE-2019-19745?
To fix CVE-2019-19745, update Contao or Core Bundle to a version higher than the affected ones, as mentioned in the security advisories provided by Contao.
- collector/friends-of-php
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-wjx8-cgrm-hh8p
- alias/CVE-2019-19745
- agent/software-canonical-lookup
- agent/references
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/softwarecombine
- agent/description
- agent/event
- collector/nvd-cve
- source/NVD
- agent/author
- agent/tags
- collector/github-advisory
- package-manager/composer
- vendor/contao
- canonical/contao contao
- version/contao contao/4.4
- version/contao contao/4.4.45
- version/contao contao/4.8
- version/contao contao/4.8.5
- version/contao contao/4.0
- version/contao contao/4.1
- version/contao contao/4.2
- version/contao contao/4.3
- version/contao contao/4.5
- version/contao contao/4.6
- version/contao contao/4.7