CVE-2017-10993

Published Jul 21, 2017

Last updated 21 days ago

CVSS high 8.8

Overview

Description: Contao before 3.5.28 and 4.x before 4.4.1 allows remote attackers to include and execute arbitrary local PHP files via a crafted parameter in a URL, aka Directory Traversal.
Source: cve@mitre.org
NVD status: Deferred

Risk scores

CVSS 3.0

Type: Primary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 6.5
Impact score: 6.4
Exploitability score: 8
Vector string: AV:N/AC:L/Au:S/C:P/I:P/A:P

Weaknesses

nvd@nist.gov: CWE-22

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "345EFF44-3226-4823-92C5-3E94043A0384",
            "versionEndIncluding": "3.5.27"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.0.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A36BE117-EB7C-416B-A0C8-FAD70E65C7F5"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.0.0:beta1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "63498341-5F80-4552-A533-3DA0C398FEA9"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.0.0:rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D08FA6D9-CFF9-496A-A4E3-35CFBB832802"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.0.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D45C3808-BEDF-403A-A972-630067B29525"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.0.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "590812CA-69C8-433B-B95E-F9419655E950"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.0.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FFE4F7CE-9A04-4A84-9C45-28DC84A386BE"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.0.4:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3C978D3A-B6B3-4BD7-9C49-F5D9C076B498"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.1.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "50F00A7E-AE29-40CA-AE6B-D5FEBE483CB8"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.1.0:beta1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F57CC647-3B81-475D-A4A3-499D223941F8"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.1.0:rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D0473068-D670-41FE-AFCD-0B14E9EC8705"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.1.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BD176B3F-51E2-4BC0-9C34-116C2532F2D0"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.1.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5AB7FC43-D899-4AF2-B48B-CA689D8E0E60"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.1.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3856C8EA-96A6-4164-BA6B-C7B2827416C3"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.2.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "AD7B0B82-B936-4283-BB12-16E4CD1024A6"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.2.0:beta1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F67D76B5-92C0-4403-9F7C-DB91C0A8E52B"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.2.0:rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "103492BC-2152-41D6-9A3D-EE95AE5AE8A2"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.2.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "89E9C0D4-3DC2-4AB6-BE48-FBAB387FF24A"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.2.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "228151A7-BBC0-413C-9220-05D3F45D148F"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.2.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "49A00DDA-346C-476F-832B-D0DA9B8CB926"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.2.4:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "563EA1E3-ECB2-454B-BC0D-5E7AFE2A1566"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.2.5:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A33B5AE6-7AD8-4F7A-8E72-21962C601E82"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.3.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5239F9C4-1601-477D-9CB4-C95586BB3F6E"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.3.0:rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "45C8E022-7F37-4BFA-9D28-C083ADE58CBF"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.3.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "479DEA11-6158-476F-AEC6-2BED5AC3FC5C"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.3.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "75BE9E24-F0EA-4D5F-B172-92EBE3FC8F5F"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.3.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A4728FDD-09FD-4752-AC10-BEA4BFC3C16C"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.3.5:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4BBD2BD2-341E-4332-8A78-8973895A8C40"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.3.6:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DFA95607-828A-4FBB-818F-D22DBD4A19DC"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.3.7:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E145183E-26DD-435B-B060-8E3F17F0EA7C"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.3.8:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BCC3036F-A8BA-402F-9F94-E5A8CA880606"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.3.9:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "47FE8357-7569-4F12-847B-F615BBB75486"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.3.10:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "AA64EC0D-FACA-4683-84AA-8288BECD376D"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.3.11:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1CE3E158-9C34-490E-8858-F887A98AFB9F"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.4.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3759FE91-B5BF-4DAD-B972-FB23C5FE12C0"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.4.0:beta1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "45C095B1-09F3-43EE-9738-8157ED74A5F1"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.4.0:rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0D08445B-DCB8-416A-A0E1-62D9E1E68B0A"
          },
          {
            "criteria": "cpe:2.3:a:contao:contao_cms:4.4.0:rc2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1A176687-80CF-4159-97CA-05B332F5E295"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.0

CVSS 2.0

Weaknesses

Social media

Configurations

References