Impact
A back end user with access to the form generator can upload arbitrary files and execute them on the server.
Patches
Update to Contao 4.4.46 or 4.8.6.
Workarounds
Configure your web server so it does not execute PHP files and other scripts in the Contao file upload directory.
References
https://contao.org/en/security-advisories/unrestricted-file-uploads
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
Impact
A back end user with access to the form generator can upload arbitrary files and execute them on the server.
Patches
Update to Contao 4.4.46 or 4.8.6.
Workarounds
Configure your web server so it does not execute PHP files and other scripts in the Contao file upload directory.
References
https://contao.org/en/security-advisories/unrestricted-file-uploads
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.