Contao up to 3.5.36/4.4.30/4.6.10 Access Control access control

Summaryinfo

A vulnerability labeled as critical has been found in Contao up to 3.5.36/4.4.30/4.6.10. This impacts an unknown function of the component Access Control. Executing a manipulation can lead to access control. This vulnerability is registered as CVE-2018-20028. It is possible to launch the attack remotely. No exploit is available. The affected component should be upgraded.

Detailsinfo

A vulnerability has been found in Contao up to 3.5.36/4.4.30/4.6.10 and classified as critical. This vulnerability affects an unknown part of the component Access Control. The manipulation with an unknown input leads to a access control vulnerability. The CWE definition for the vulnerability is CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

Contao 3.x before 3.5.37, 4.4.x before 4.4.31 and 4.6.x before 4.6.11 has Incorrect Access Control.

The weakness was published 04/17/2019 (Website). The advisory is shared for download at contao.org. This vulnerability was named CVE-2018-20028 since 12/10/2018. The exploitation appears to be easy. The attack can be initiated remotely. A single authentication is necessary for exploitation. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1068.

Upgrading to version 3.6.37, 4.4.31 or 4.6.11 eliminates this vulnerability.

Similar entries are available at VDB-133784, VDB-133785 and VDB-133786. Once again VulDB remains the best source for vulnerability data.

Productinfo

Name

• Contao

Version

• 3.5.0
• 3.5.1
• 3.5.2
• 3.5.3
• 3.5.4
• 3.5.5
• 3.5.6
• 3.5.7
• 3.5.8
• 3.5.9
• 3.5.10
• 3.5.11
• 3.5.12
• 3.5.13
• 3.5.14
• 3.5.15
• 3.5.16
• 3.5.17
• 3.5.18
• 3.5.19
• 3.5.20
• 3.5.21
• 3.5.22
• 3.5.23
• 3.5.24
• 3.5.25
• 3.5.26
• 3.5.27
• 3.5.28
• 3.5.29
• 3.5.30
• 3.5.31
• 3.5.32
• 3.5.33
• 3.5.34
• 3.5.35
• 3.5.36
• 4.4.0
• 4.4.1
• 4.4.2
• 4.4.3
• 4.4.4
• 4.4.5
• 4.4.6
• 4.4.7
• 4.4.8
• 4.4.9
• 4.4.10
• 4.4.11
• 4.4.12
• 4.4.13
• 4.4.14
• 4.4.15
• 4.4.16
• 4.4.17
• 4.4.18
• 4.4.19
• 4.4.20
• 4.4.21
• 4.4.22
• 4.4.23
• 4.4.24
• 4.4.25
• 4.4.26
• 4.4.27
• 4.4.28
• 4.4.29
• 4.4.30
• 4.6.0
• 4.6.1
• 4.6.2
• 4.6.3
• 4.6.4
• 4.6.5
• 4.6.6
• 4.6.7
• 4.6.8
• 4.6.9
• 4.6.10

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion