Vulnerability Description
Contao is an open source CMS that allows you to create websites and scalable web applications. In affected versions it is possible to load PHP files by entering insert tags in the Contao back end. Installations are only affected if they have untrusted back end users who have the rights to modify fields that are shown in the front end. Update to Contao 4.4.56, 4.9.18 or 4.11.7 to resolve. If you cannot update then disable the login for untrusted back end users.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Contao | Contao | >= 4.4.0, < 4.4.56 |
Related Weaknesses (CWE)
References
- https://contao.org/en/security-advisories/php-file-inclusion-via-insert-tags.htmVendor Advisory
- https://github.com/contao/contao/security/advisories/GHSA-r6mv-ppjc-4hgrThird Party Advisory
- https://contao.org/en/security-advisories/php-file-inclusion-via-insert-tags.htmVendor Advisory
- https://github.com/contao/contao/security/advisories/GHSA-r6mv-ppjc-4hgrThird Party Advisory
FAQ
What is CVE-2021-37626?
CVE-2021-37626 is a vulnerability with a CVSS score of 7.2 (HIGH). Contao is an open source CMS that allows you to create websites and scalable web applications. In affected versions it is possible to load PHP files by entering insert tags in the Contao back end. Ins...
How severe is CVE-2021-37626?
CVE-2021-37626 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-37626?
Check the references section above for vendor advisories and patch information. Affected products include: Contao Contao.