Main Vulnerability Database Vulnerabilities #VU34960

Incorrect default permissions in Contao - CVE-2019-19712

Published: December 17, 2019 / Updated: August 8, 2020

Vulnerability identifier: #VU34960

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-19712

CWE-ID: CWE-276

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Contao

Affected software:
Contao

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them.

How to mitigate CVE-2019-19712

Install update from vendor's website.

Sources

https://contao.org/en/news.html
https://contao.org/en/security-advisories/information-disclosure-in-the-back-end.html

Incorrect default permissions in Contao - CVE-2019-19712

Detailed vulnerability description

How to mitigate CVE-2019-19712

Sources

Please verify you're human