Contao has improper privilege management for page and article fields

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Description

Contao is an Open Source CMS. In versions starting from 5.3.0 and prior to 5.3.38 and 5.6.1, under certain conditions, back end users may be able to edit fields of pages and articles without having the necessary permissions. This issue has been patched in versions 5.3.38 and 5.6.1. There are no workarounds.

Basic Information

ID CVE-2025-57759

Source GitHub_M

Published Aug 28, 2025 at 16:32

Modified Aug 28, 2025 at 17:16

Affected Product

Vendor contao

Product contao

Version >= 5.3.0, < 5.3.38

Affected Versions contao contao >= 5.3.0, < 5.3.38
contao contao >= 5.4.0-RC1, < 5.6.1

CWE Classification

CWE-269

References

{
    "lastseen": "",
    "description": "Contao is an Open Source CMS. In versions starting from 5.3.0 and prior to 5.3.38 and 5.6.1, under certain conditions, back end users may be able to edit fields of pages and articles without having the necessary permissions. This issue has been patched in versions 5.3.38 and 5.6.1. There are no workarounds.",
    "published": "2025-08-28T16:32:59.022Z",
    "modified": "2025-08-28T17:16:55.904Z",
    "type": "cve",
    "title": "Contao has improper privilege management for page and article fields",
    "source": "GitHub_M",
    "references": "https://github.com/contao/contao/security/advisories/GHSA-qqfq-7cpp-hcqj\nhttps://github.com/contao/contao/commit/80ee7db12d55ad979d9b1b180f273d4e2668851f\nhttps://contao.org/en/security-advisories/improper-privilege-management-for-page-and-article-fields",
    "id": "CVE-2025-57759",
    "bulletinFamily": "",
    "cwe": [
        "CWE-269"
    ],
    "cvelist": null,
    "sourceData": "contao contao >= 5.3.0, < 5.3.38\ncontao contao >= 5.4.0-RC1, < 5.6.1",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "contao",
    "version": ">= 5.3.0, < 5.3.38",
    "vendor": "contao",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Contao has improper privilege management for page and article fields_CVE-2025-57759