{"id":"GHSA-qqfq-7cpp-hcqj","summary":"Contao does not properly manage privileges for page and article fields","details":"### Impact\n\nUnder certain conditions, back end users may be able to edit fields of pages and articles without having the necessary permissions.\n\n### Patches\n\nUpdate to Contao 5.3.38 or 5.6.1.\n\n### Workarounds\n\nNone.\n\n### For more information\n\nIf you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).","aliases":["CVE-2025-57759"],"modified":"2025-08-28T19:37:25.623503Z","published":"2025-08-28T14:58:22Z","database_specific":{"cwe_ids":["CWE-269"],"github_reviewed_at":"2025-08-28T14:58:22Z","nvd_published_at":"2025-08-28T17:15:36Z","severity":"MODERATE","github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/contao/contao/security/advisories/GHSA-qqfq-7cpp-hcqj"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57759"},{"type":"WEB","url":"https://github.com/contao/contao/commit/80ee7db12d55ad979d9b1b180f273d4e2668851f"},{"type":"WEB","url":"https://contao.org/en/security-advisories/improper-privilege-management-for-page-and-article-fields"},{"type":"PACKAGE","url":"https://github.com/contao/contao"}],"affected":[{"package":{"name":"contao/core-bundle","ecosystem":"Packagist","purl":"pkg:composer/contao/core-bundle"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.3.0"},{"fixed":"5.3.38"}]}],"versions":["5.3.0","5.3.1","5.3.10","5.3.11","5.3.12","5.3.13","5.3.14","5.3.15","5.3.16","5.3.17","5.3.18","5.3.19","5.3.2","5.3.20","5.3.21","5.3.22","5.3.23","5.3.24","5.3.25","5.3.26","5.3.27","5.3.28","5.3.29","5.3.3","5.3.30","5.3.31","5.3.32","5.3.33","5.3.34","5.3.35","5.3.36","5.3.37","5.3.4","5.3.5","5.3.6","5.3.7","5.3.8","5.3.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-qqfq-7cpp-hcqj/GHSA-qqfq-7cpp-hcqj.json"}},{"package":{"name":"contao/core-bundle","ecosystem":"Packagist","purl":"pkg:composer/contao/core-bundle"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.4.0-RC1"},{"fixed":"5.6.1"}]}],"versions":["5.4.0","5.4.0-RC1","5.4.0-RC2","5.4.0-RC3","5.4.0-RC4","5.4.1","5.4.10","5.4.11","5.4.12","5.4.13","5.4.14","5.4.2","5.4.3","5.4.4","5.4.5","5.4.6","5.4.7","5.4.8","5.4.9","5.5.0","5.5.0-RC1","5.5.0-RC2","5.5.0-RC3","5.5.0-RC4","5.5.1","5.5.10","5.5.11","5.5.12","5.5.13","5.5.14","5.5.15","5.5.16","5.5.2","5.5.3","5.5.4","5.5.5","5.5.6","5.5.7","5.5.8","5.5.9","5.6.0","5.6.0-RC1","5.6.0-RC2","5.6.0-RC3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-qqfq-7cpp-hcqj/GHSA-qqfq-7cpp-hcqj.json"}},{"package":{"name":"contao/contao","ecosystem":"Packagist","purl":"pkg:composer/contao/contao"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.3.0"},{"fixed":"5.3.38"}]}],"versions":["5.3.0","5.3.1","5.3.10","5.3.11","5.3.12","5.3.13","5.3.14","5.3.15","5.3.16","5.3.17","5.3.18","5.3.19","5.3.2","5.3.20","5.3.21","5.3.22","5.3.23","5.3.24","5.3.25","5.3.26","5.3.27","5.3.28","5.3.29","5.3.3","5.3.30","5.3.31","5.3.32","5.3.33","5.3.34","5.3.35","5.3.36","5.3.37","5.3.4","5.3.5","5.3.6","5.3.7","5.3.8","5.3.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-qqfq-7cpp-hcqj/GHSA-qqfq-7cpp-hcqj.json"}},{"package":{"name":"contao/contao","ecosystem":"Packagist","purl":"pkg:composer/contao/contao"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.4.0-RC1"},{"fixed":"5.6.1"}]}],"versions":["5.4.0","5.4.0-RC1","5.4.0-RC2","5.4.0-RC3","5.4.0-RC4","5.4.1","5.4.10","5.4.11","5.4.12","5.4.13","5.4.14","5.4.2","5.4.3","5.4.4","5.4.5","5.4.6","5.4.7","5.4.8","5.4.9","5.5.0","5.5.0-RC1","5.5.0-RC2","5.5.0-RC3","5.5.0-RC4","5.5.1","5.5.10","5.5.11","5.5.12","5.5.13","5.5.14","5.5.15","5.5.16","5.5.2","5.5.3","5.5.4","5.5.5","5.5.6","5.5.7","5.5.8","5.5.9","5.6.0","5.6.0-RC1","5.6.0-RC2","5.6.0-RC3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-qqfq-7cpp-hcqj/GHSA-qqfq-7cpp-hcqj.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}]}