Advisories for Composer/Contao/Core package

2024
2022
2019

SQL injection vulnerability

Both the search filter in the back end and the "listing" module in the front end are vulnerable to SQL injection. To exploit the vulnerability in the back end, a back end user has to be logged in, whereas the front end vulnerability can be exploited by anyone.

2018

XSS in system log of back end

There's a Cross-Site Scripting (XSS) vulnerability in system log of back end. With a manipulated request, an attacker can implant a script which is executed when a logged in back end user opens the system log. The attacker themselves does not have to be logged in.

XSS vulnerability in the newsletter extension

There's a XSS vulnerability is in the "unsubscribe" module of the newsletter extension and it can easily be exploited by anyone in the front end. If you are not using the newsletter extension or the "unsubscribe" module, your installation is not affected by the vulnerability.

2017

Path Traversal

Contao allows remote attackers to include and execute arbitrary local PHP files via a crafted parameter in a URL, aka Directory Traversal.

Path Traversal

Directory traversal vulnerability in Contao allows remote authenticated back end users to view files outside their file mounts or the document root via unspecified vectors.

2016

Cross-site Scripting

Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by jsinitfunctio%gn."

2014