[HIGH] A logged in back end user can include arbitrary existing PHP files by manipulating an URL parameter

PKSA-rsrx-gn7x-r7yr CVE-2017-10993 GHSA-x5g4-crxq-qxjx

Affected package: contao/core

Affected version: >=3.0.0,<3.5.28

Reported by:
FriendsOfPHP/security-advisories, GitHub