VYPR

Packagist (Composer) package

contao/core

pkg:composer/contao/core

Vulnerabilities (7)

  • CVE-2018-5478Sep 21, 2023
    affected >= 3.0.0, < 3.5.32fixed 3.5.32

    Contao 3.x before 3.5.32 allows XSS via the unsubscribe module in the frontend newsletter extension.

  • CVE-2018-10125Mar 16, 2020
    affected >= 3.0.0, < 3.5.35fixed 3.5.35

    Contao before 4.5.7 has XSS in the system log.

  • CVE-2012-4383Jan 29, 2020
    affected < 2.11.4fixed 2.11.4

    contao prior to 2.11.4 has a sql injection vulnerability

  • CVE-2019-10641Apr 17, 2019
    affected >= 3.0.0, < 3.5.39fixed 3.5.39

    Contao before 3.5.39 and 4.x before 4.7.3 has a Weak Password Recovery Mechanism for a Forgotten Password.

  • CVE-2017-10993HigJul 21, 2017
    affected >= 3.0.0, < 3.5.28fixed 3.5.28

    Contao before 3.5.28 and 4.x before 4.4.1 allows remote attackers to include and execute arbitrary local PHP files via a crafted parameter in a URL, aka Directory Traversal.

  • CVE-2015-0269MedMay 26, 2017
    affected >= 3.4.0, < 3.4.4fixed 3.4.4

    Directory traversal vulnerability in Contao before 3.2.19, and 3.4.x before 3.4.4 allows remote authenticated "back end" users to view files outside their file mounts or the document root via unspecified vectors.

  • CVE-2016-4567MedMay 22, 2016
    affected >= 3.0.0, < 3.5.15fixed 3.5.15

    Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "j