Advisories for Composer/Contao/Core package

2024

contao/core PHP object injection vulnerability allows for arbitrary code execution

PHP object injection vulnerability was identified in contao/core due to untrusted data being passed to deserialize() function.

contao/core Insufficient input validation allows for code injection and remote execution

contao/core versions 2.x prior to 2.11.17 and 3.x prior to 3.2.9 are vulnerable to arbitrary code execution on the server due to insufficient input validation. In fact, attackers can remove or change pathconfig.php by entering a URL, meaning that the entire Contao installation will no longer be accessible or malicious code can be executed.

2019

SQL injection vulnerability

Both the search filter in the back end and the "listing" module in the front end are vulnerable to SQL injection. To exploit the vulnerability in the back end, a back end user has to be logged in, whereas the front end vulnerability can be exploited by anyone.

Weak Password Recovery Mechanism for Forgotten Password

Contao has a Weak Password Recovery Mechanism for a Forgotten Password.

Use of a Key Past its Expiration Date

Contao allows Use of a Key Past its Expiration Date.

Cross-Site Request Forgery (CSRF)

Contao allows CSRF.

2018

XSS in system log of back end

There's a Cross-Site Scripting (XSS) vulnerability in system log of back end. With a manipulated request, an attacker can implant a script which is executed when a logged in back end user opens the system log. The attacker themselves does not have to be logged in.

XSS vulnerability in the newsletter extension

There's a XSS vulnerability is in the "unsubscribe" module of the newsletter extension and it can easily be exploited by anyone in the front end. If you are not using the newsletter extension or the "unsubscribe" module, your installation is not affected by the vulnerability.

2017