CVE-2021-37626: Code Injection
First published: Wed Aug 11 2021(Updated: )
### Impact It is possible for untrusted users to load arbitrary PHP files via insert tags. Installations are only affected if there are untrusted back end users. ### Patches Update to Contao 4.4.56, 4.9.18 or 4.11.7. ### Workarounds Disable the login for untrusted back end users. ### References https://contao.org/en/security-advisories/php-file-inclusion-via-insert-tags ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/contao/core-bundle | >=4.0.0<4.4.56>=4.5.0<4.6.0>=4.6.0<4.7.0>=4.7.0<4.8.0>=4.8.0<4.9.0>=4.9.0<4.9.18>=4.10.0<4.11.0>=4.11.0<4.11.7 | |
| composer/contao/contao | >=4.0.0<4.4.56>=4.5.0<4.6.0>=4.6.0<4.7.0>=4.7.0<4.8.0>=4.8.0<4.9.0>=4.9.0<4.9.18>=4.10.0<4.11.0>=4.11.0<4.11.7 | |
| Contao Contao | >=4.4.0<4.4.56 | |
| Contao Contao | >=4.9.0<4.9.18 | |
| Contao Contao | >=4.11.0<4.11.7 | |
| Contao Contao | =4.0.0 | |
| Contao Contao | =4.1.0 | |
| Contao Contao | =4.2.0 | |
| Contao Contao | =4.3.0 | |
| Contao Contao | =4.5.0 | |
| Contao Contao | =4.6.0 | |
| Contao Contao | =4.7.0 | |
| Contao Contao | =4.8.0 | |
| Contao Contao | =4.10.0 | |
| composer/contao/contao | >=4.10.0<4.11.7 | 4.11.7 |
| composer/contao/contao | >=4.5.0<4.9.18 | 4.9.18 |
| composer/contao/contao | >=4.0.0<4.4.56 | 4.4.56 |
| composer/contao/core-bundle | >=4.10.0<4.11.7 | 4.11.7 |
| composer/contao/core-bundle | >=4.5.0<4.9.18 | 4.9.18 |
| composer/contao/core-bundle | >=4.0.0<4.4.56 | 4.4.56 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://contao.org/en/security-advisories/php-file-inclusion-via-insert-tags.html
- https://github.com/contao/contao/security/advisories/GHSA-r6mv-ppjc-4hgr
- https://nvd.nist.gov/vuln/detail/CVE-2021-37626
- https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2021-37626.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2021-37626.yaml
- https://github.com/advisories/GHSA-r6mv-ppjc-4hgr (Advisory)
Frequently Asked Questions
What is CVE-2021-37626?
CVE-2021-37626 is a vulnerability in Contao that allows file inclusion via insert tags in the Contao back end.
How severe is CVE-2021-37626?
CVE-2021-37626 has a severity rating of 7.2 (High).
Which versions of Contao are affected by CVE-2021-37626?
Versions between 4.0.0 and 4.4.56, 4.5.0 and 4.6.0, 4.6.0 and 4.7.0, 4.7.0 and 4.8.0, 4.8.0 and 4.9.0, 4.9.0 and 4.9.18, 4.10.0 and 4.11.0, 4.11.0 and 4.11.7 of Contao are affected by CVE-2021-37626.
How can I fix CVE-2021-37626?
To fix CVE-2021-37626, it is recommended to update Contao to a version that is not affected by the vulnerability.
Where can I find more information about CVE-2021-37626?
You can find more information about CVE-2021-37626 in the Contao security advisories and the GitHub security advisory.
- collector/friends-of-php
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-r6mv-ppjc-4hgr
- alias/CVE-2021-37626
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/weakness
- agent/last-modified-date
- agent/softwarecombine
- agent/description
- agent/event
- collector/nvd-cve
- source/NVD
- agent/author
- agent/tags
- collector/github-advisory
- package-manager/composer
- vendor/contao
- canonical/contao contao
- version/contao contao/4.4.0
- version/contao contao/4.9.0
- version/contao contao/4.11.0
- version/contao contao/4.0.0
- version/contao contao/4.1.0
- version/contao contao/4.2.0
- version/contao contao/4.3.0
- version/contao contao/4.5.0
- version/contao contao/4.6.0
- version/contao contao/4.7.0
- version/contao contao/4.8.0
- version/contao contao/4.10.0