[HIGH] A logged in back end user can include arbitrary existing PHP files by manipulating an URL parameter

PKSA-bm99-nmx5-wsq1 CVE-2017-10993 GHSA-x5g4-crxq-qxjx

Affected package: contao/core-bundle

Affected version: >=4.0.0,<4.4.1

Reported by:
FriendsOfPHP/security-advisories, GitHub