CVE-2017-16558: Contao SQL injection in the backend and listing module
9.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.56318%
CWE
Published
5/24/2022
Updated
4/25/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
contao/contao | composer | >= 3.0.0, <= 3.5.30 | |
contao/contao | composer | >= 4.0.0, < 4.4.8 | 4.4.8 |
contao/core-bundle | composer | >= 4.0.0, < 4.4.8 | 4.4.8 |
contao/listing-bundle | composer | >= 4.0.0, < 4.4.8 | 4.4.8 |
contao/core-bundle | composer | >= 3.0.0, <= 3.5.30 | |
contao/listing-bundle | composer | >= 3.0.0, <= 3.5.30 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability manifests in two components:
- In DC_Table.php's searchMenu method, pre-patch code accepted unfiltered user input for database field names (tl_field), enabling SQL injection via crafted WHERE clauses. The fix added strict in_array validation.
- In ModuleListing.php's compile method, user-controlled 'order_by' and 'sort' parameters were directly interpolated into ORDER BY clauses without validation. The patch introduced allow-list validation for these parameters. Both functions lacked input sanitization for SQL operator injection, matching the CWE-89 pattern of improper SQL special element neutralization.