CVE-2017-10993
Contao Core directory traversal vulnerability
8.8
HIGH
CVSS 3.1
EPSS 0.83%
Description
A logged in back end user can include arbitrary PHP files by manipulating an URL parameter. Since Contao does not allow to upload PHP files in the file manager, the attack is limited to the existing PHP files on the server.
How to fix CVE-2017-10993
To remediate CVE-2017-10993, upgrade the affected package to a fixed version below.
- Packagist/contao/contao—upgrade to 4.4.1 or later
- —upgrade to 3.5.28 or later
- —upgrade to 4.4.1 or later
Is CVE-2017-10993 being exploited?
Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 4.0.0, < 4.4.1
- >= 3.0.0, < 3.5.28
- >= 4.0.0, < 4.4.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |