CVE-2018-20028: Contao Information Disclosure via Access Control Flaws
6.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.51531%
CWE
Published
5/13/2022
Updated
4/25/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
contao/contao | composer | >= 3.0.0, < 3.5.37 | 3.5.37 |
contao/contao | composer | >= 4.6.0, < 4.6.11 | 4.6.11 |
contao/contao | composer | >= 4.4.0, < 4.4.31 | 4.4.31 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from missing access control checks in Data Container (DCA) permission validation functions. The commit diff shows critical additions of ID-in-root-array checks for 'select' and 'paste' actions across multiple DCA files (tl_calendar_events, tl_news, etc.), which directly correlate with the described vulnerability vectors. The DC_Table.php changes fix root node handling that previously allowed unauthorized parent view access. The tl_page.php modifications address the pagemounts issue where empty user mounts led to unrestricted access. These functions were clearly modified to add missing access controls in the patch, confirming their vulnerability.