{"url":"http://public2.vulnerablecode.io/api/packages/53847?format=json","purl":"pkg:composer/contao/core@4.3.0","type":"composer","namespace":"contao","name":"core","version":"4.3.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38709?format=json","vulnerability_id":"VCID-crsc-bhc9-y3f9","summary":"PHP file inclusion vulnerability in the back end\nA logged in back end user can include arbitrary PHP files by manipulating an URL parameter. Since Contao does not allow to upload PHP files in the file manager, the attack is limited to the existing PHP files on the server.","references":[{"reference_url":"https://contao.org/en/news/contao-3_5_28.html","reference_id":"","reference_type":"","scores":[],"url":"https://contao.org/en/news/contao-3_5_28.html"},{"reference_url":"https://contao.org/en/news/contao-4_4_1.html","reference_id":"","reference_type":"","scores":[],"url":"https://contao.org/en/news/contao-4_4_1.html"},{"reference_url":"https://github.com/contao/core-bundle/commit/2a85914f4ba858780ffbac38a468acb7028772c7","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/contao/core-bundle/commit/2a85914f4ba858780ffbac38a468acb7028772c7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-10993","reference_id":"CVE-2017-10993","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-10993"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2017-10993.yaml","reference_id":"CVE-2017-10993.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2017-10993.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2017-10993.yaml","reference_id":"CVE-2017-10993.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2017-10993.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/CVE-2017-10993.yaml","reference_id":"CVE-2017-10993.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/CVE-2017-10993.yaml"},{"reference_url":"https://github.com/advisories/GHSA-x5g4-crxq-qxjx","reference_id":"GHSA-x5g4-crxq-qxjx","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-x5g4-crxq-qxjx"}],"fixed_packages":[],"aliases":["CVE-2017-10993","GHSA-x5g4-crxq-qxjx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-crsc-bhc9-y3f9"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/contao/core@4.3.0"}