Contao CMS <= 3.2.5 PHP object insertion

Credit: Pedro Ribeiro
Risk: High
Local: No
Remote: Yes

Hi, I have discovered a vulnerability that might lead to code execution in Contao CMS <= 3.2.4 Contao CMS <= 3.2.4 does not properly validate user input in several locations which is then passed directly into PHP's unserialize. This has been fixed in Contao 2.3.5 as per commit: and Announcements can be found at https <>://<> <>/<> en <>/news/<> contao <>-3_2_5.<> html <> https <>://<> <>/<> en <>/news/<> contao <>-2_11_14.<> html <> Thanks to the Contao developers for being so responsive. The full report can be found at my repo in Can you please assign a CVE for the vulnerability described above? Thanks in advance. Regards, Pedro Ribeiro Agile Information Security


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019,


Back to Top