CVE-2019-19712

Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them.

CVSS v3 5.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://contao.org/en/news.html	Release Notes Vendor Advisory
https://contao.org/en/security-advisories/information-disclosure-in-the-back-end.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:contao:contao::::::::
	cpe:2.3:a:contao:contao::::::::
	cpe:2.3:a:contao:contao:4.0:::::::*
	cpe:2.3:a:contao:contao:4.1:::::::*
	cpe:2.3:a:contao:contao:4.2:::::::*
	cpe:2.3:a:contao:contao:4.3:::::::*
	cpe:2.3:a:contao:contao:4.5:::::::*
	cpe:2.3:a:contao:contao:4.6:::::::*
	cpe:2.3:a:contao:contao:4.7:::::::*

History

No history.

Information

Published : 2019-12-17 14:15

Updated : 2019-12-31 16:21

NVD link : CVE-2019-19712

Mitre link : CVE-2019-19712

CVE.ORG link : CVE-2019-19712

JSON object : View

Products Affected

contao

contao

CWE

CWE-276

Incorrect Default Permissions

{"id": "CVE-2019-19712", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2019-12-17T14:15:18.153", "references": [{"url": "https://contao.org/en/news.html", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://contao.org/en/security-advisories/information-disclosure-in-the-back-end.html", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-276"}]}], "descriptions": [{"lang": "en", "value": "Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them."}, {"lang": "es", "value": "Contao versiones 4.0 hasta la versi\u00f3n 4.8.5, tiene permisos no seguros. Los usuarios finales pueden manipular la URL de la vista de detalles para mostrar p\u00e1ginas y art\u00edculos que no han sido habilitados para ellos."}], "lastModified": "2019-12-31T16:21:13.057", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "349036F4-3FB9-4574-A568-3DF5F9C9A182", "versionEndIncluding": "4.4.45", "versionStartIncluding": "4.4.0"}, {"criteria": "cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BC371563-77B0-4C5F-A66C-E03C64C3779B", "versionEndIncluding": "4.8.5", "versionStartIncluding": "4.8"}, {"criteria": "cpe:2.3:a:contao:contao:4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0DE7216A-3486-47CA-8D7F-1E65DB974A32"}, {"criteria": "cpe:2.3:a:contao:contao:4.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "94C28910-F081-4039-AED5-BA41135B663A"}, {"criteria": "cpe:2.3:a:contao:contao:4.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A5A04634-8F66-4147-8175-DA09A57B3F4A"}, {"criteria": "cpe:2.3:a:contao:contao:4.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "022613D3-B240-479B-A3F5-A6459044A483"}, {"criteria": "cpe:2.3:a:contao:contao:4.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6D63B7ED-B2FA-46A2-9471-ED363182F318"}, {"criteria": "cpe:2.3:a:contao:contao:4.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DA76FF3F-26FB-46B8-8179-D0E4985CA98C"}, {"criteria": "cpe:2.3:a:contao:contao:4.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C6495BA2-DB3D-4877-93A7-13C0ABC0B291"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}