{"id":"CVE-2019-19745","details":"Contao 4.0 through 4.8.5 allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server.","aliases":["GHSA-wjx8-cgrm-hh8p"],"modified":"2026-04-10T04:16:54.377847Z","published":"2019-12-17T15:15:25.957Z","references":[{"type":"ADVISORY","url":"https://contao.org/en/security-advisories/unrestricted-file-uploads.html"},{"type":"ADVISORY","url":"https://contao.org/en/news.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/contao/contao","events":[{"introduced":"da8a867d8335c4ca55e5085dac11f1fecd12650e"},{"last_affected":"0dae4caadb79f1581d1851d849955929318bc7d9"},{"introduced":"879e05ecc75a6bf70aabc1c3d867eb420f291f60"},{"last_affected":"e2234567e8a17ff151137c288b14591213652195"},{"introduced":"0"},{"last_affected":"84b2fe637d5ead531f117f26b48d1b9de8df4074"},{"introduced":"0"},{"last_affected":"a112b68dcb5215b01f2c4c4b8de6bcb3d3b9ae81"},{"introduced":"0"},{"last_affected":"dfb96f2755181aedb587e897316a656dd933df31"},{"introduced":"0"},{"last_affected":"afeedc98905a9dedd598f5a5814decc1ad1b008d"},{"introduced":"0"},{"last_affected":"b09b4d51d13d37b4bfcd2ef4314fc6a20184dc55"},{"introduced":"0"},{"last_affected":"c3e0c88e63095d83fd37fb96c4381de7658de4dc"},{"introduced":"0"},{"last_affected":"b4dda036c2c0fc7d17c1aa402eaacf6b5dc335fc"}],"database_specific":{"versions":[{"introduced":"4.4"},{"last_affected":"4.4.45"},{"introduced":"4.8"},{"last_affected":"4.8.5"},{"introduced":"0"},{"last_affected":"4.0"},{"introduced":"0"},{"last_affected":"4.1"},{"introduced":"0"},{"last_affected":"4.2"},{"introduced":"0"},{"last_affected":"4.3"},{"introduced":"0"},{"last_affected":"4.5"},{"introduced":"0"},{"last_affected":"4.6"},{"introduced":"0"},{"last_affected":"4.7"}]}}],"versions":["4.0.0","4.1.0","4.2.0","4.3.0","4.4.22","4.4.23","4.4.24","4.4.25","4.4.26","4.4.27","4.4.28","4.4.29","4.4.30","4.4.31","4.4.32","4.4.33","4.4.34","4.4.35","4.4.36","4.4.37","4.4.38","4.4.39","4.4.40","4.4.41","4.4.42","4.4.43","4.4.44","4.4.45","4.5.0","4.6.0","4.7.0","4.7.0-RC1","4.7.0-RC2","4.7.0-RC3","4.7.0-RC4","4.8.0","4.8.1","4.8.2","4.8.3","4.8.4","4.8.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-19745.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}