{
  "schema_version": "1.4.0",
  "id": "GHSA-r6mv-ppjc-4hgr",
  "modified": "2024-04-22T18:42:22Z",
  "published": "2021-08-23T19:41:04Z",
  "aliases": [
    "CVE-2021-37626"
  ],
  "summary": "PHP file inclusion via insert tags",
  "details": "### Impact\n\nIt is possible for untrusted users to load arbitrary PHP files via insert tags.\n\nInstallations are only affected if there are untrusted back end users.\n\n### Patches\n\nUpdate to Contao 4.4.56, 4.9.18 or 4.11.7.\n\n### Workarounds\n\nDisable the login for untrusted back end users.\n\n### References\n\nhttps://contao.org/en/security-advisories/php-file-inclusion-via-insert-tags\n\n### For more information\n\nIf you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "contao/core-bundle"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.4.56"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "contao/core-bundle"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "4.5.0"
            },
            {
              "fixed": "4.9.18"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "contao/core-bundle"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "4.10.0"
            },
            {
              "fixed": "4.11.7"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "contao/contao"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.4.56"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "contao/contao"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "4.5.0"
            },
            {
              "fixed": "4.9.18"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "contao/contao"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "4.10.0"
            },
            {
              "fixed": "4.11.7"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/contao/contao/security/advisories/GHSA-r6mv-ppjc-4hgr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37626"
    },
    {
      "type": "WEB",
      "url": "https://contao.org/en/security-advisories/php-file-inclusion-via-insert-tags.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2021-37626.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2021-37626.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/contao/contao"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-23T16:51:34Z",
    "nvd_published_at": "2021-08-11T23:15:00Z"
  }
}