Advisories for Composer/Contao/Core-Bundle package

2024
2023

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contao is an open source content management system. Starting in version 4.0.0 and prior to versions 4.9.42, 4.13.28, and 5.1.10, it is possible for untrusted backend users to inject malicious code into headline fields in the back end, which will be executed both in the element preview (back end) and on the website (front end). Installations are only affected if there are untrusted back end users who have the rights …

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Contao is an open source content management system. Prior to versions 4.9.40, 4.13.21, and 5.1.4, logged in users can list arbitrary system files in the file manager by manipulating the Ajax request. However, it is not possible to read the contents of these files. Users should update to Contao 4.9.40, 4.13.21 or 5.1.4 to receive a patch. There are no known workarounds.

2022
2021

Improper Privilege Management

Contao is an open source CMS that allows creation of websites and scalable web applications.All users are advised to update to Contao As a workaround users may disable the form generator or disable the login for untrusted back end users.

Code Injection

Contao is an open source CMS that allows you to create websites and scalable web applications.Update to Contao to resolve. If you cannot update then disable the login for untrusted back end users.

2020
2019

SQL injection vulnerability

Both the search filter in the back end and the "listing" module in the front end are vulnerable to SQL injection. To exploit the vulnerability in the back end, a back end user has to be logged in, whereas the front end vulnerability can be exploited by anyone.

2017