Latest contao contao Vulnerabilities

Contao cross site scripting vulnerability via input unit widget
Contao Contao>=5.0.0<5.1.10
Contao Contao>=4.10.0<4.13.28
Contao Contao>=4.0.0<4.9.42
Directory traversal vulnerability in the file manager
composer/contao/contao>=4.9.0<4.9.40>=4.13.0<4.13.21>=5.1.0<5.1.4
composer/contao/core-bundle>=4.9.0<4.9.40>=4.13.0<4.13.21>=5.1.0<5.1.4
Contao Contao>=2.0.0<4.9.40
Contao Contao>=4.10.0<4.13.21
Contao Contao>=5.0.0<5.1.4
### Impact Untrusted users can inject malicious code into the canonical tag, which is then executed on the web page (front end). ### Patches Update to Contao 4.13.3. ### Workarounds Disable canon...
composer/contao/contao>=4.13.0<4.13.3
composer/contao/core-bundle>=4.13.0<4.13.3
Contao Contao>=4.13.0<=4.13.2
composer/contao/contao>=4.13.0<4.13.3
composer/contao/core-bundle>=4.13.0<4.13.3
>=4.13.0<=4.13.2
Contao Managed Edition v1.5.0 was discovered to contain a remote command execution (RCE) vulnerability via the component php_cli parameter.
Contao Contao=1.5.0
### Impact It is possible for untrusted users to load arbitrary PHP files via insert tags. Installations are only affected if there are untrusted back end users. ### Patches Update to Contao 4.4.5...
composer/contao/core-bundle>=4.0.0<4.4.56>=4.5.0<4.6.0>=4.6.0<4.7.0>=4.7.0<4.8.0>=4.8.0<4.9.0>=4.9.0<4.9.18>=4.10.0<4.11.0>=4.11.0<4.11.7
composer/contao/contao>=4.0.0<4.4.56>=4.5.0<4.6.0>=4.6.0<4.7.0>=4.7.0<4.8.0>=4.8.0<4.9.0>=4.9.0<4.9.18>=4.10.0<4.11.0>=4.11.0<4.11.7
Contao Contao>=4.4.0<4.4.56
Contao Contao>=4.9.0<4.9.18
Contao Contao>=4.11.0<4.11.7
Contao Contao=4.0.0
and 14 more
### Impact It is possible for untrusted users to gain administrator rights with the form generator. Installations are only affected if there are untrusted back end users with access to the form gene...
composer/contao/contao>=4.0.0<4.4.56>=4.5.0<4.6.0>=4.6.0<4.7.0>=4.7.0<4.8.0>=4.8.0<4.9.0>=4.9.0<4.9.18>=4.10.0<4.11.0>=4.11.0<4.11.7
composer/contao/core-bundle>=4.0.0<4.4.56>=4.5.0<4.6.0>=4.6.0<4.7.0>=4.7.0<4.8.0>=4.8.0<4.9.0>=4.9.0<4.9.18>=4.10.0<4.11.0>=4.11.0<4.11.7
Contao Contao>=4.4.0<4.4.56
Contao Contao>=4.9.0<4.9.18
Contao Contao>=4.11.0<4.11.7
Contao Contao=4.0.0
and 26 more
### Impact It is possible for untrusted users to inject malicious code into HTML attributes in the back end, which will be executed both in the element preview (back end) and on the website (front en...
composer/contao/core-bundle>=4.0.0<4.4.56>=4.5.0<4.6.0>=4.6.0<4.7.0>=4.7.0<4.8.0>=4.8.0<4.9.0>=4.9.0<4.9.18>=4.10.0<4.11.0>=4.11.0<4.11.7
composer/contao/contao>=4.0.0<4.4.56>=4.5.0<4.6.0>=4.6.0<4.7.0>=4.7.0<4.8.0>=4.8.0<4.9.0>=4.9.0<4.9.18>=4.10.0<4.11.0>=4.11.0<4.11.7
Contao Contao>=4.0.0<4.4.56
Contao Contao>=4.5.0<4.9.18
Contao Contao>=4.10.0<4.11.7
composer/contao/core-bundle>=4.10.0<4.11.7
and 8 more
### Impact It is possible to inject code into the `tl_log` table that will be executed in the browser when the system log is called in the back end. ### Patches Update to Contao 4.9.16 or 4.11.5. ...
composer/contao/core-bundle>=4.5.0<4.9.16>=4.10.0<4.11.0>=4.11.0<4.11.5
composer/contao/contao>=4.5.0<4.9.16>=4.10.0<4.11.0>=4.11.0<4.11.5
Contao Contao>=4.5.0<4.9.16
Contao Contao>=4.10.0<4.11.5
composer/contao/contao>=4.10.0<4.11.5
composer/contao/contao>=4.5.0<4.9.16
and 4 more
### Impact It is possible to inject insert tags in frontend forms which will be replaced when the page is rendered. ### Patches Update to Contao 4.4.52, 4.9.6 or 4.10.1. ### Workarounds Disable t...
composer/contao/core-bundle>=4.0.0<4.4.52>=4.5.0<4.6.0>=4.6.0<4.7.0>=4.7.0<4.8.0>=4.8.0<4.9.0>=4.9.0<4.9.6>=4.10.0<4.10.1
composer/contao/contao>=4.0.0<4.4.52>=4.5.0<4.6.0>=4.6.0<4.7.0>=4.7.0<4.8.0>=4.8.0<4.9.0>=4.9.0<4.9.6>=4.10.0<4.10.1
Contao Contao>=4.0<4.4.52
Contao Contao>=4.9.0<4.9.6
Contao Contao>=4.10.0<4.10.1
composer/contao/core-bundle>=4.10.0<4.10.1
and 5 more
contao prior to 2.11.4 has a sql injection vulnerability
Contao Contao<2.11.4
### Impact Backend users can manipulate the details view URL to show pages and articles that have not been enabled for them. ### Patches Update to Contao 4.4.46 or 4.8.6. ### Workarounds None. #...
composer/contao/core-bundle>=4.0.0<4.4.46>=4.5.0<4.6.0>=4.6.0<4.7.0>=4.7.0<4.8.0>=4.8.0<4.8.6
composer/contao/contao>=4.0.0<4.4.46>=4.5.0<4.6.0>=4.6.0<4.7.0>=4.7.0<4.8.0>=4.8.0<4.8.6
composer/contao/core-bundle>=4.5.0<4.8.6
composer/contao/core-bundle>=4.0.0<4.4.46
Contao Contao>=4.4.0<=4.4.45
Contao Contao>=4.8<=4.8.5
and 9 more
### Impact It is possible to inject insert tags into the login module which will be replaced when the page is rendered. ### Patches Update to Contao 4.8.6. ### Workarounds None. ### References ...
composer/contao/core-bundle>=4.8.4<4.8.6
composer/contao/contao>=4.8.4<4.8.6
composer/contao/core-bundle>=4.8.4<4.8.6
Contao Contao=4.8.4
Contao Contao=4.8.5
composer/contao/contao>=4.8.4<4.8.6
### Impact A back end user with access to the form generator can upload arbitrary files and execute them on the server. ### Patches Update to Contao 4.4.46 or 4.8.6. ### Workarounds Configure you...
composer/contao/contao>=4.0.0<4.4.46>=4.5.0<4.6.0>=4.6.0<4.7.0>=4.7.0<4.8.0>=4.8.0<4.8.6
composer/contao/core-bundle>=4.0.0<4.4.46>=4.5.0<4.6.0>=4.6.0<4.7.0>=4.7.0<4.8.0>=4.8.0<4.8.6
Contao Contao>=4.4<=4.4.45
Contao Contao>=4.8<=4.8.5
Contao Contao=4.0
Contao Contao=4.1
and 9 more
SQL injection vulnerabililty in the file manager search filter
composer/contao/core-bundle>=4.1.0<4.4.39>=4.5.0<4.6.0>=4.6.0<4.7.0>=4.7.0<4.7.5
composer/contao/contao>=4.1.0<4.4.39>=4.5.0<4.6.0>=4.6.0<4.7.0>=4.7.0<4.7.5
Contao Contao>=4.0.0<4.4.39
Contao Contao>=4.5.0<4.7.5
Contao before 4.5.7 has XSS in the system log.
composer/contao/core-bundle>=4.0.0<4.4.18>=4.5.0<4.5.8
composer/contao/core>=3.0.0<3.5.35
composer/contao/contao>=4.0.0<4.4.18>=4.5.0<4.5.8
Contao Contao>=3.0.0<=3.5.33
Contao Contao>=4.4.0<=4.4.16
Contao Contao>=4.5.0<=4.5.6
and 10 more

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203