CVE-2019-19712

MEDIUM

Contao 4.0-4.8.5 - Unauthenticated Information Disclosure via Backend Details View URL

Title source: llm

Description

Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them.

References (2)

Core 2

Core References

Release Notes, Vendor Advisory x_refsource_misc

https://contao.org/en/news.html

Vendor Advisory x_refsource_confirm

https://contao.org/en/security-advisories/information-disclosure-in-the-back-end.html

Scores

CVSS v3 5.3

EPSS 0.0088

EPSS Percentile 54.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-276

Status published

Products (10)

contao/contao 4.0

contao/contao 4.1

contao/contao 4.2

contao/contao 4.3

contao/contao 4.5

contao/contao 4.6

contao/contao 4.7

contao/contao 4.0.0 - 4.4.46Packagist

contao/contao 4.4.0 - 4.4.45

contao/core-bundle 4.0.0 - 4.4.46Packagist

Published Dec 17, 2019

Tracked Since Feb 18, 2026