CVE-2024-45604: 
PHP vulnerability analysis and mitigation

Contao, an Open Source CMS, was found to contain a directory traversal vulnerability (CVE-2024-45604) that affects authenticated users in the back end. The vulnerability allows users to list files outside the document root in the file selector widget. The issue affects all versions of Contao up to version 4.13.48, with the fix being released in version 4.13.49 (Vendor Advisory, GitHub Advisory).

The vulnerability is classified as a Path Traversal issue (CWE-22) with a CVSS v3.1 base score of 4.3 (MEDIUM), and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. This indicates that the vulnerability requires network access and low privileges to exploit, requires no user interaction, has unchanged scope, and can result in low confidentiality impact with no impact on integrity or availability (GitHub Advisory).

The vulnerability allows authenticated back end users to list files outside their file mounts or the document root in the FileSelector widget. However, it's important to note that while files can be listed, attackers cannot edit these files or view their content (Vendor Advisory).

The recommended solution is to upgrade to Contao version 4.13.49. According to the security advisory, there are no known workarounds for this vulnerability (Vendor Advisory).