SB2021021205 - Multiple vulnerabilities in Contao

Description

This security bulletin contains information about 26 vulnerabilities.

1) Input validation error (CVE-ID: N/A)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error. A remote attacker can send specially crafted data to the affected application and execute arbitrary code on the system.

2) SQL injection (CVE-ID: N/A)

The vulnerability allows a remote user to inject SQL commands.

The vulnerability exists due to improper neutralization of special elements used in an SQL command in wrapper functions for Redshift REGEXP_SUBSTR and REGEXP_REPLACE and Postgres substring() when processing user-supplied regex patterns. A remote user can supply a specially crafted regex pattern to inject SQL commands.

Only installations that use a Postgres or Amazon Redshift data warehouse are affected.

3) Missing Authorization (CVE-ID: N/A)

The vulnerability allows a remote user to modify dashboards without authorization.

The vulnerability exists due to improper access control in the Revision API revert functionality when handling dashboard revision revert requests. A remote user can send a crafted revert request to modify dashboards without authorization.

This issue affects the dashboard revert action.

4) Information disclosure (CVE-ID: N/A)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in filter list handling in the query builder when using filters of the type "A list of all values" with data sandboxing enabled. A remote user can use crafted filter requests to disclose sensitive information.

If field values are available, all values are shown to sandboxed users. If scan-data is unavailable, the first request returns correct values, but subsequent requests from any users may see the results from the first request.

5) Inclusion of Sensitive Information in Log Files (CVE-ID: N/A)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to insertion of sensitive information into metadata in the internal http client when handling HTTP errors from Presto connections using basic authentication. A remote user can trigger an error condition and obtain API responses containing unsanitized request headers to disclose sensitive information.

Only configurations using Presto with basic authentication are vulnerable.

6) Exposure of Sensitive Information Through Metadata (CVE-ID: N/A)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the dashboard subscriptions API endpoint when handling requests for dashboard subscription metadata. A remote user can send a request to fetch metadata about dashboards and subscriptions they do not have read access to to disclose sensitive information.

The exposed metadata may include dashboard names, creators, creation times, card names, descriptions, visualization types, and subscription recipient details such as user IDs, email addresses, and Slack channels, but does not include query results or text card contents.

7) Cross-site scripting (CVE-ID: CVE-2022-24899)

The vulnerability allows a remote attacker to inject malicious script into the web page.

The vulnerability exists due to cross-site scripting in the canonical tag handling in contao/core-bundle when processing a canonical URL. A remote attacker can inject malicious code into the canonical tag to inject malicious script into the web page.

The injected code is executed on the front end.

8) Information disclosure (CVE-ID: CVE-2022-39358)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the backend request handling for embedded dashboard questions when processing crafted requests for data with locked parameters. A remote attacker can send a specially crafted request to disclose sensitive information.

The issue affects signed embedding and allows locked parameters to be circumvented for requests involving a question in an embedded dashboard.

9) Missing Critical Step in Authentication (CVE-ID: CVE-2022-39360)

The vulnerability allows a remote user to bypass single sign-on authentication.

The vulnerability exists due to missing critical step in authentication in the password reset functionality when handling password reset requests for SSO users. A remote user can initiate a password reset for an SSO account to bypass single sign-on authentication.

10) Information disclosure (CVE-ID: CVE-2022-39359)

The vulnerability allows a remote attacker to access blocked internal network resources.

The vulnerability exists due to improper access control in custom GeoJSON map URL handling when fetching user-supplied GeoJSON URLs that respond with redirects. A remote attacker can supply a crafted GeoJSON URL to access blocked internal network resources.

The issue affects redirect handling for custom GeoJSON map URLs, including redirects to link-local or private-network addresses.

11) Product UI does not warn user of unsafe actions (CVE-ID: CVE-2022-39362)

The vulnerability allows a remote attacker to execute arbitrary SQL queries.

The vulnerability exists due to product UI does not warn user of unsafe actions in the native query editor when handling unsaved SQL queries from a queryhash. A remote attacker can trick a victim into opening a crafted query link to execute arbitrary SQL queries.

Unsaved SQL queries are automatically executed without requiring the user to manually run them.

12) Input validation error (CVE-ID: CVE-2022-39361)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper input validation in H2 native query handling for the sample database when processing SQL queries on H2 databases. A remote user can submit specially crafted SQL queries containing DDL statements to execute arbitrary code.

The issue is limited to users able to write SQL queries on H2 databases.

13) Improper access control (CVE-ID: CVE-2023-32680)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in SQL snippet permissions enforcement when editing SQL snippets through the API or the application UI. A remote user can edit a SQL snippet to disclose sensitive information.

User interaction is required when editing the metadata for a model based on a SQL question in the application UI.

14) Cross-site scripting (CVE-ID: CVE-2023-36806)

The vulnerability allows a remote user to execute malicious script in the back end preview and on the website.

The vulnerability exists due to cross-site scripting in widgets with units when processing user-supplied widget content. A remote user can inject malicious code to execute malicious script in the back end preview and on the website.

User interaction is required for the malicious script to be executed.

15) Cross-site scripting (CVE-ID: CVE-2024-45612)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper neutralization of special elements in canonical URLs when rendering pages. A remote attacker can inject insert tags into canonical URLs to disclose sensitive information.

16) Path traversal (CVE-ID: CVE-2024-45604)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to path traversal in the FileSelector widget when handling file listing requests. A remote user can access files outside their file mounts or the document root to disclose sensitive information.

17) Arbitrary file upload (CVE-ID: CVE-2024-45398)

The vulnerability allows a remote user to execute arbitrary code on the server.

The vulnerability exists due to unrestricted upload of files with dangerous types in the file manager when uploading files. A remote user can upload a malicious file to execute arbitrary code on the server.

Exploitation requires access to the back end file manager.

18) Improper access control (CVE-ID: CVE-2024-55951)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in field filter value caching when handling sandboxed dashboard filters. A remote user can access a dashboard with field filters to disclose sensitive information.

This only affects Metabase Enterprise instances with sandboxing configurations created in the affected release range, and user interaction is required.

19) Improper access control (CVE-ID: CVE-2025-27141)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in cached questions when serving cached query results to impersonated users. A remote user can run a question that returns cached results to disclose sensitive information.

This issue affects only the Enterprise Edition. User interaction is required because another user must first run the same question so that its results are cached.

20) Cross-site scripting (CVE-ID: CVE-2025-29790)

The vulnerability allows a remote user to execute arbitrary script code in the back end and/or front end.

The vulnerability exists due to cross-site scripting in SVG file upload handling when processing uploaded SVG files. A remote user can upload a malicious SVG file to execute arbitrary script code in the back end and/or front end.

User interaction is required for the malicious SVG content to be executed.

21) Improper access control (CVE-ID: CVE-2025-57758)

The vulnerability allows a remote user to modify data.

The vulnerability exists due to improper access control in the table access voter in the back end when handling access checks for the corresponding module. A remote user can access a table without authorization to modify data.

22) Improper privilege management (CVE-ID: CVE-2025-57759)

The vulnerability allows a remote user to modify page and article fields without the necessary permissions.

The vulnerability exists due to improper privilege management in page and article fields when handling back end editing operations. A remote user can edit fields of pages and articles to modify page and article fields without the necessary permissions.

Under certain conditions, back end users may be able to trigger the issue.

23) Information disclosure (CVE-ID: CVE-2025-57757)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information to an unauthorized actor in the news module RSS feed when generating feeds that contain protected news archives. A remote attacker can access an RSS feed containing protected news archives to disclose sensitive information.

News items from protected news archives are not filtered and can become publicly available in the RSS feed.

24) Information disclosure (CVE-ID: CVE-2025-57756)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information to an unauthorized actor in the front end search index when indexing protected content elements rendered as fragments. A remote attacker can search the front end search index to disclose sensitive information.

Only protected content elements that are rendered as fragments are exposed through the front end search.

25) Insufficient Type Distinction (CVE-ID: CVE-2025-65960)

The vulnerability allows a remote user to execute arbitrary PHP functions.

The vulnerability exists due to insufficient type distinction in template closures when processing attacker-controlled closure contents. A remote privileged user can control the contents of template closures to execute arbitrary PHP functions.

Only PHP functions that do not have required parameters can be executed.

26) Improper Neutralization of Alternate XSS Syntax (CVE-ID: CVE-2025-65961)

The vulnerability allows a remote user to execute script code in the browser in the front end and back end.

The vulnerability exists due to improper neutralization of alternate xss syntax in templates when rendering template output. A remote privileged user can inject code into the template output to execute script code in the browser in the front end and back end.

Remediation

Install update from vendor's website.

References

• https://github.com/metabase/metabase/releases/tag/v0.36.11
• https://github.com/metabase/metabase/releases/tag/v0.37.9
• https://github.com/metabase/metabase/releases/tag/v1.37.9
• https://github.com/metabase/metabase/security/advisories/GHSA-jw8j-qp56-25m2
• https://github.com/metabase/metabase/security/advisories/GHSA-pxfh-93j9-h745
• https://github.com/metabase/metabase/security/advisories/GHSA-m8w4-6wxv-8v6m
• https://github.com/metabase/metabase/security/advisories/GHSA-m29w-4r8p-v657
• https://github.com/metabase/metabase/security/advisories/GHSA-8899-2cmw-mf97
• https://github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2
• https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url
• https://github.com/metabase/metabase/security/advisories/GHSA-8qgm-9mj6-36h3
• https://github.com/metabase/metabase/security/advisories/GHSA-gw4g-ww2m-v7vc
• https://github.com/metabase/metabase/security/advisories/GHSA-w5j7-4mgm-77f4
• https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238
• https://github.com/metabase/metabase/security/advisories/GHSA-gqpj-wcr3-p88v
• https://github.com/metabase/metabase/security/advisories/GHSA-mw6j-f894-4qxv
• https://github.com/contao/contao/security/advisories/GHSA-4gpr-p634-922x
• https://contao.org/en/security-advisories/cross-site-scripting-in-widgets-with-units
• https://github.com/contao/contao/security/advisories/GHSA-2xpq-xp6c-5mgj
• https://contao.org/en/security-advisories/insert-tag-injection-via-canonical-urls
• https://github.com/contao/contao/security/advisories/GHSA-4p75-5p53-65m9
• https://contao.org/en/security-advisories/directory-traversal-in-the-fileselector-widget
• https://github.com/contao/contao/security/advisories/GHSA-vm6r-j788-hjh5
• https://contao.org/en/security-advisories/remote-command-execution-through-file-uploads
• https://github.com/metabase/metabase/security/advisories/GHSA-rhjf-q2qw-rvx3
• https://github.com/metabase/metabase/security/advisories/GHSA-6cc4-h534-xh5p
• https://github.com/contao/contao/security/advisories/GHSA-vqqr-fgmh-f626
• https://contao.org/en/security-advisories/cross-site-scripting-through-svg-uploads
• https://github.com/contao/contao/security/advisories/GHSA-7m47-r75r-cx8v
• https://contao.org/en/security-advisories/improper-access-control-in-the-back-end-voters
• https://github.com/contao/contao/security/advisories/GHSA-qqfq-7cpp-hcqj
• https://contao.org/en/security-advisories/improper-privilege-management-for-page-and-article-fields
• https://github.com/contao/contao/security/advisories/GHSA-w53m-gxvg-vx7p
• https://contao.org/en/security-advisories/information-disclosure-in-the-news-module
• https://github.com/contao/contao/security/advisories/GHSA-2xmj-8wmq-7475
• https://contao.org/en/security-advisories/information-disclosure-in-the-front-end-search-index
• https://github.com/contao/contao/security/advisories/GHSA-98vj-mm79-v77r
• https://contao.org/en/security-advisories/remote-code-execution-in-template-closures
• https://github.com/contao/contao/security/advisories/GHSA-68q5-78xp-cwwc
• https://contao.org/en/security-advisories/cross-site-scripting-in-templates