Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN558 _____________________________________________________________________ DATE : 29/08/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Contao versions prior to 4.13.56, 5.3.38, 5.6.1. ===================================================================== https://contao.org/en/security-advisories/improper-privilege-management-for-page-and-article-fields https://contao.org/en/security-advisories/improper-access-control-in-the-back-end-voters https://contao.org/en/security-advisories/information-disclosure-in-the-news-module https://contao.org/en/security-advisories/information-disclosure-in-the-front-end-search-index _____________________________________________________________________ Improper privilege management for page and article fields Date: 2025-08-28 CVE ID: CVE-2025-57759 Under certain conditions, back end users may be able to edit fields of pages and articles without having the necessary permissions. Affected versions Contao 5.3 up to 5.3.37 Contao 5.4 Contao 5.5 Contao 5.6 up to 5.6.0 Suggested solution Upgrade to Contao 5.3.38 or 5.6.1. Workaround None. More information https://github.com/contao/contao/security/advisories/GHSA-qqfq-7cpp-hcqj _____________________________________________________________________ Improper access control in the back end voters Date: 2025-08-28 CVE ID: CVE-2025-57758 The table access voter in the back end doesn't check if a user is allowed to access the corresponding module. Affected versions Contao 5.3 up to 5.3.37 Contao 5.4 Contao 5.5 Contao 5.6 up to 5.6.0 Suggested solution Upgrade to Contao 5.3.38 or 5.6.1. Workaround Do not rely solely on the voter and additionally check USER_CAN_ACCESS_MODULE. More information https://github.com/contao/contao/security/advisories/GHSA-7m47-r75r-cx8v _____________________________________________________________________ Information disclosure in the news module Date: 2025-08-28 CVE ID: CVE-2025-57757 If a news feed contains protected news archives, their news items are not filtered and become publicly available in the RSS feed. Affected versions Contao 5.3 up to 5.3.37 Contao 5.4 Contao 5.5 Contao 5.6 up to 5.6.0 Suggested solution Upgrade to Contao 5.3.38 or 5.6.1. Workaround Do not add protected news archives to the news feed page. More information https://github.com/contao/contao/security/advisories/GHSA-w53m-gxvg-vx7p _____________________________________________________________________ Information disclosure in the front end search index Date: 2025-08-28 CVE ID: CVE-2025-57756 Protected content elements that are rendered as fragments are indexed and become publicly available in the front end search. Affected versions Contao 4.9 from 4.9.14 Contao 4.10 Contao 4.11 Contao 4.12 Contao 4.13 up to 4.13.55 Contao 5.0 Contao 5.1 Contao 5.2 Contao 5.3 up to 5.3.37 Contao 5.4 Contao 5.5 Contao 5.6 up to 5.6.0 Suggested solution Upgrade to Contao 4.13.56, 5.3.38 or 5.6.1. Workaround Disable the front end search. More information https://github.com/contao/contao/security/advisories/GHSA-2xmj-8wmq-7475 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================