Login Sign Up

CVE-2024-45398

8.3 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated back-end users with file manager access in Contao CMS to upload malicious files and execute arbitrary code on the server. It affects Contao versions before 4.13.49, 5.3.15, and 5.4.3. Attackers can achieve remote command execution through file uploads.

💻 Affected Systems

Products:
  • Contao CMS
Versions: Versions before 4.13.49, 5.3.15, and 5.4.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires back-end user with file manager permissions; default installations are vulnerable if using affected versions.

📦 What is this software?

Contao by Contao

View all CVEs affecting Contao →

Contao by Contao

View all CVEs affecting Contao →

Contao by Contao

View all CVEs affecting Contao →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data theft, lateral movement, ransomware deployment, or complete system takeover.

🟠

Likely Case

Unauthorized file upload leading to web shell installation, data exfiltration, or privilege escalation within the CMS.

🟢

If Mitigated

Limited impact with proper file execution restrictions, potentially only file upload without execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.13.49, 5.3.15, or 5.4.3

Vendor Advisory: https://contao.org/en/security-advisories/remote-command-execution-through-file-uploads

Restart Required: No

Instructions:

1. Backup your Contao installation and database. 2. Update Contao to version 4.13.49, 5.3.15, or 5.4.3 using the Contao Manager or manual update. 3. Clear the cache after update.

🔧 Temporary Workarounds

Restrict file execution in upload directory

all

Configure web server to prevent execution of PHP and other scripts in Contao's file upload directory.

For Apache: Add 'php_flag engine off' to .htaccess in upload directory
For Nginx: Add 'location ~ \.php$ { deny all; }' to server block for upload directory

🧯 If You Can't Patch

  • Restrict file manager access to only trusted administrators
  • Implement web application firewall rules to block suspicious file uploads

🔍 How to Verify

Check if Vulnerable:

Check Contao version in System → Settings or via contao/manager-bundle version in composer.json

Check Version:

php vendor/contao/manager-bundle/ContaoManager/ContaoManager.php --version

Verify Fix Applied:

Confirm version is 4.13.49, 5.3.15, or 5.4.3 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to Contao file manager
  • Execution of PHP files from upload directory
  • Multiple failed upload attempts

Network Indicators:

  • HTTP POST requests with file uploads to Contao back-end
  • Unusual outbound connections from web server

SIEM Query:

source="web_logs" AND (uri_path="/contao/files" OR uri_path="/contao/upload") AND (file_extension="php" OR file_extension="phtml")

📊 Metadata

CVE ID: CVE-2024-45398
CVSS v3 Score: 8.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CWE: CWE-434
Published: September 17, 2024
Last Updated: September 25, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45398, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)