CVE-2019-10643

Description

Security researcher Ali Razzaq has discovered that confirming an opt-in token does not invalidate previous opt-in tokens in Contao 4.7.

How to fix CVE-2019-10643

To remediate CVE-2019-10643, upgrade the affected package to a fixed version below.

• Packagist/contao/contao—upgrade to 4.7.3 or later
• Packagist/contao/core-bundle—upgrade to 4.7.3 or later

Is CVE-2019-10643 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• >= 4.7.0, < 4.7.3
• >= 4.7.0, < 4.7.3

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10643
• WEBcontao.org/en/news.html
• WEBcontao.org/en/news/security-vulnerability-cve-2019-10643.html
• WEBgithub.com/contao/contao/commit/70348cc812b110831ad66a4f9857883f75649b88