VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 17, 2024· Updated Sep 18, 2024

Directory traversal in the file selector widget in contao/core-bundle

CVE-2024-45604

Description

Contao is an Open Source CMS. In affected versions authenticated users in the back end can list files outside the document root in the file selector widget. Users are advised to update to Contao 4.13.49. There are no known workarounds for this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated back-end users in Contao CMS can exploit the file selector widget to list files outside the document root due to insufficient path validation.

Vulnerability

Contao CMS versions before 4.13.49 contain a directory traversal vulnerability in the file selector widget (FileSelector class). The renderFiletree method does not check whether the requested path is within the user's allowed file mounts, allowing authenticated back-end users to list files outside the document root [1][3].

Exploitation

An attacker with valid back-end credentials can craft a request to the file selector widget with a path traversal sequence (e.g., ../../etc) to list files in arbitrary directories. The vulnerability is exploitable without any special privileges beyond a standard back-end account [4]. The commit that fixes the issue adds an isMounted() check, which verifies that the path is within the user's file mounts or the default upload path [3].

Impact

Successful exploitation allows an attacker to enumerate files and directories outside the intended document root, potentially revealing sensitive configuration files, source code, or other data. This breach of confidentiality could aid in further attacks on the application or server [1][4].

Mitigation

The vulnerability is patched in Contao version 4.13.49. Users should update to this version or later. No known workarounds exist [1].

References
  1. NVD - CVE-2024-45604
  2. Merge commit from fork · contao/contao@63409c6
  3. Directory traversal in the FileSelector widget

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
contao/core-bundlePackagist
< 4.13.494.13.49

Affected products

2

Patches

1
63409c6bdfd9

Merge commit from fork

https://github.com/contao/contaoMartin AuswögerSep 17, 2024via ghsa
commit
1 file changed · +37 0
  • core-bundle/src/Resources/contao/widgets/FileSelector.php+37 0 modified
    @@ -362,6 +362,11 @@ public function generateAjax($strFolder, $strField, $level, $mount=false)
 	 */
 	protected function renderFiletree($path, $intMargin, $mount=false, $blnProtected=true, $arrFound=array())
 	{
+		if (!$this->isMounted($path))
+		{
+			throw new \RuntimeException('Folder "' . $path . '" is not mounted or cannot be found.');
+		}
+
 		// Invalid path
 		if (!is_dir($path))
 		{
@@ -665,6 +670,38 @@ protected function isProtectedPath($path)
 
 		return true;
 	}
+
+	protected function isMounted($path)
+	{
+		if (Validator::isInsecurePath($path))
+		{
+			throw new \RuntimeException('Insecure path ' . $path);
+		}
+
+		$this->import(BackendUser::class, 'User');
+
+		$path = StringUtil::stripRootDir($path);
+		$filemounts = array();
+
+		if ($this->User->isAdmin)
+		{
+			$filemounts[] = System::getContainer()->getParameter('contao.upload_path');
+		}
+		elseif (\is_array($this->User->filemounts))
+		{
+			$filemounts = $this->User->filemounts;
+		}
+
+		foreach ($filemounts as $filemount)
+		{
+			if (Path::isBasePath($filemount, $path))
+			{
+				return true;
+			}
+		}
+
+		return false;
+	}
 }
 
 class_alias(FileSelector::class, 'FileSelector');

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.