CVE-2018-10125
Description
Contao before 4.5.7 has XSS in the system log.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Contao before 4.5.7 contains a cross-site scripting vulnerability in the system log, allowing authenticated administrators to inject malicious scripts.
Vulnerability
Overview
Contao versions prior to 4.5.7 are affected by a cross-site scripting (XSS) vulnerability in the system log [1][2]. The flaw occurs because user-supplied input is not properly sanitized before being written to the system log, enabling an attacker to inject arbitrary web script or HTML [2].
Exploitation
The vulnerability is exploitable by any authenticated user who can trigger log entries, such as by performing actions that generate log messages with malicious payloads. An attacker with administrative access to the Contao backend can craft a request that stores XSS code in the system log. When another administrator views the log, the injected script executes in their browser session [2].
Impact
Successful exploitation allows an attacker to execute JavaScript in the context of the victim's browser. This can lead to session hijacking, data exfiltration, or further compromise of the Contao installation [1][2].
Mitigation
Users should upgrade to Contao version 4.5.7 or later, which resolves the issue by properly sanitizing log entries [1][2]. No workarounds are known.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
contao/contaoPackagist | >= 4.0.0, < 4.4.18 | 4.4.18 |
contao/contaoPackagist | >= 4.5.0, < 4.5.8 | 4.5.8 |
contao/core-bundlePackagist | >= 4.0.0, < 4.4.18 | 4.4.18 |
contao/core-bundlePackagist | >= 4.5.0, < 4.5.8 | 4.5.8 |
contao/corePackagist | >= 3.0.0, < 3.5.35 | 3.5.35 |
contao/core-bundlePackagist | >= 3.0.0, < 3.5.35 | 3.5.35 |
Affected products
4- Contao/Contaodescription
- ghsa-coords3 versions
>= 4.0.0, < 4.4.18+ 2 more
- (no CPE)range: >= 4.0.0, < 4.4.18
- (no CPE)range: >= 3.0.0, < 3.5.35
- (no CPE)range: >= 4.0.0, < 4.4.18
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-pj4j-287j-f742ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-10125ghsaADVISORY
- contao.org/en/news/contao-3_5_35.htmlghsaWEB
- contao.org/en/news/contao-4_4_18.htmlghsaWEB
- contao.org/en/security-advisories/cross-site-scripting-in-the-system-log.htmlghsax_refsource_CONFIRMWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2018-10125.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2018-10125.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/CVE-2018-10125.yamlghsaWEB
News mentions
0No linked articles in our index yet.