{"url":"http://public2.vulnerablecode.io/api/packages/53840?format=json","purl":"pkg:composer/contao/core@3.5.27","type":"composer","namespace":"contao","name":"core","version":"3.5.27","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.5.28","latest_non_vulnerable_version":"3.5.39","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38709?format=json","vulnerability_id":"VCID-crsc-bhc9-y3f9","summary":"PHP file inclusion vulnerability in the back end\nA logged in back end user can include arbitrary PHP files by manipulating an URL parameter. Since Contao does not allow to upload PHP files in the file manager, the attack is limited to the existing PHP files on the server.","references":[{"reference_url":"https://contao.org/en/news/contao-3_5_28.html","reference_id":"","reference_type":"","scores":[],"url":"https://contao.org/en/news/contao-3_5_28.html"},{"reference_url":"https://contao.org/en/news/contao-4_4_1.html","reference_id":"","reference_type":"","scores":[],"url":"https://contao.org/en/news/contao-4_4_1.html"},{"reference_url":"https://github.com/contao/core-bundle/commit/2a85914f4ba858780ffbac38a468acb7028772c7","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/contao/core-bundle/commit/2a85914f4ba858780ffbac38a468acb7028772c7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-10993","reference_id":"CVE-2017-10993","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-10993"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2017-10993.yaml","reference_id":"CVE-2017-10993.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2017-10993.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2017-10993.yaml","reference_id":"CVE-2017-10993.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2017-10993.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/CVE-2017-10993.yaml","reference_id":"CVE-2017-10993.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/CVE-2017-10993.yaml"},{"reference_url":"https://github.com/advisories/GHSA-x5g4-crxq-qxjx","reference_id":"GHSA-x5g4-crxq-qxjx","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-x5g4-crxq-qxjx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53852?format=json","purl":"pkg:composer/contao/core@3.5.28","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/contao/core@3.5.28"}],"aliases":["CVE-2017-10993","GHSA-x5g4-crxq-qxjx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-crsc-bhc9-y3f9"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/contao/core@3.5.27"}