First published: Tue Dec 17 2019(Updated: )
### Impact A back end user with access to the form generator can upload arbitrary files and execute them on the server. ### Patches Update to Contao 4.4.46 or 4.8.6. ### Workarounds Configure your web server so it does not execute PHP files and other scripts in the Contao file upload directory. ### References https://contao.org/en/security-advisories/unrestricted-file-uploads ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
composer/contao/contao | >=4.0.0<4.4.46>=4.5.0<4.6.0>=4.6.0<4.7.0>=4.7.0<4.8.0>=4.8.0<4.8.6 | |
composer/contao/core-bundle | >=4.0.0<4.4.46>=4.5.0<4.6.0>=4.6.0<4.7.0>=4.7.0<4.8.0>=4.8.0<4.8.6 | |
Contao Contao | >=4.4<=4.4.45 | |
Contao Contao | >=4.8<=4.8.5 | |
Contao Contao | =4.0 | |
Contao Contao | =4.1 | |
Contao Contao | =4.2 | |
Contao Contao | =4.3 | |
Contao Contao | =4.5 | |
Contao Contao | =4.6 | |
Contao Contao | =4.7 | |
composer/contao/contao | >=4.5.0<4.8.6 | 4.8.6 |
composer/contao/contao | >=4.0.0<4.4.46 | 4.4.46 |
composer/contao/core-bundle | >=4.5.0<4.8.6 | 4.8.6 |
composer/contao/core-bundle | >=4.0.0<4.4.46 | 4.4.46 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-19745 is a vulnerability that allows attackers to upload files without proper validation, leading to potential remote code execution.
The unrestricted file uploads vulnerability allows attackers to bypass file upload restrictions and upload malicious files to the server.
The affected software versions include Contao versions 4.0.0 to 4.4.46, 4.5.0 to 4.6.0, 4.6.0 to 4.7.0, 4.7.0 to 4.8.0, and 4.8.0 to 4.8.6.
CVE-2019-19745 is considered a high severity vulnerability.
To fix CVE-2019-19745, update Contao or Core Bundle to a version higher than the affected ones, as mentioned in the security advisories provided by Contao.