First published: Wed Aug 11 2021(Updated: )
### Impact It is possible for untrusted users to load arbitrary PHP files via insert tags. Installations are only affected if there are untrusted back end users. ### Patches Update to Contao 4.4.56, 4.9.18 or 4.11.7. ### Workarounds Disable the login for untrusted back end users. ### References https://contao.org/en/security-advisories/php-file-inclusion-via-insert-tags ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
composer/contao/core-bundle | >=4.0.0<4.4.56>=4.5.0<4.6.0>=4.6.0<4.7.0>=4.7.0<4.8.0>=4.8.0<4.9.0>=4.9.0<4.9.18>=4.10.0<4.11.0>=4.11.0<4.11.7 | |
composer/contao/contao | >=4.0.0<4.4.56>=4.5.0<4.6.0>=4.6.0<4.7.0>=4.7.0<4.8.0>=4.8.0<4.9.0>=4.9.0<4.9.18>=4.10.0<4.11.0>=4.11.0<4.11.7 | |
Contao Contao | >=4.4.0<4.4.56 | |
Contao Contao | >=4.9.0<4.9.18 | |
Contao Contao | >=4.11.0<4.11.7 | |
Contao Contao | =4.0.0 | |
Contao Contao | =4.1.0 | |
Contao Contao | =4.2.0 | |
Contao Contao | =4.3.0 | |
Contao Contao | =4.5.0 | |
Contao Contao | =4.6.0 | |
Contao Contao | =4.7.0 | |
Contao Contao | =4.8.0 | |
Contao Contao | =4.10.0 | |
composer/contao/contao | >=4.10.0<4.11.7 | 4.11.7 |
composer/contao/contao | >=4.5.0<4.9.18 | 4.9.18 |
composer/contao/contao | >=4.0.0<4.4.56 | 4.4.56 |
composer/contao/core-bundle | >=4.10.0<4.11.7 | 4.11.7 |
composer/contao/core-bundle | >=4.5.0<4.9.18 | 4.9.18 |
composer/contao/core-bundle | >=4.0.0<4.4.56 | 4.4.56 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-37626 is a vulnerability in Contao that allows file inclusion via insert tags in the Contao back end.
CVE-2021-37626 has a severity rating of 7.2 (High).
Versions between 4.0.0 and 4.4.56, 4.5.0 and 4.6.0, 4.6.0 and 4.7.0, 4.7.0 and 4.8.0, 4.8.0 and 4.9.0, 4.9.0 and 4.9.18, 4.10.0 and 4.11.0, 4.11.0 and 4.11.7 of Contao are affected by CVE-2021-37626.
To fix CVE-2021-37626, it is recommended to update Contao to a version that is not affected by the vulnerability.
You can find more information about CVE-2021-37626 in the Contao security advisories and the GitHub security advisory.