Packagist (Composer) package
contao/core
pkg:composer/contao/core
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2018-5478 | — | >= 3.0.0, < 3.5.32 | 3.5.32 | Sep 21, 2023 | Contao 3.x before 3.5.32 allows XSS via the unsubscribe module in the frontend newsletter extension. | ||
| CVE-2018-10125 | — | >= 3.0.0, < 3.5.35 | 3.5.35 | Mar 16, 2020 | Contao before 4.5.7 has XSS in the system log. | ||
| CVE-2012-4383 | — | < 2.11.4 | 2.11.4 | Jan 29, 2020 | contao prior to 2.11.4 has a sql injection vulnerability | ||
| CVE-2019-10641 | — | >= 3.0.0, < 3.5.39 | 3.5.39 | Apr 17, 2019 | Contao before 3.5.39 and 4.x before 4.7.3 has a Weak Password Recovery Mechanism for a Forgotten Password. | ||
| CVE-2017-10993 | Hig | 8.8 | >= 3.0.0, < 3.5.28 | 3.5.28 | Jul 21, 2017 | Contao before 3.5.28 and 4.x before 4.4.1 allows remote attackers to include and execute arbitrary local PHP files via a crafted parameter in a URL, aka Directory Traversal. | |
| CVE-2015-0269 | Med | 4.3 | >= 3.4.0, < 3.4.4 | 3.4.4 | May 26, 2017 | Directory traversal vulnerability in Contao before 3.2.19, and 3.4.x before 3.4.4 allows remote authenticated "back end" users to view files outside their file mounts or the document root via unspecified vectors. | |
| CVE-2016-4567 | Med | 6.1 | >= 3.0.0, < 3.5.15 | 3.5.15 | May 22, 2016 | Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "j |
- CVE-2018-5478Sep 21, 2023affected >= 3.0.0, < 3.5.32fixed 3.5.32
Contao 3.x before 3.5.32 allows XSS via the unsubscribe module in the frontend newsletter extension.
- CVE-2018-10125Mar 16, 2020affected >= 3.0.0, < 3.5.35fixed 3.5.35
Contao before 4.5.7 has XSS in the system log.
- CVE-2012-4383Jan 29, 2020affected < 2.11.4fixed 2.11.4
contao prior to 2.11.4 has a sql injection vulnerability
- CVE-2019-10641Apr 17, 2019affected >= 3.0.0, < 3.5.39fixed 3.5.39
Contao before 3.5.39 and 4.x before 4.7.3 has a Weak Password Recovery Mechanism for a Forgotten Password.
- affected >= 3.0.0, < 3.5.28fixed 3.5.28
Contao before 3.5.28 and 4.x before 4.4.1 allows remote attackers to include and execute arbitrary local PHP files via a crafted parameter in a URL, aka Directory Traversal.
- affected >= 3.4.0, < 3.4.4fixed 3.4.4
Directory traversal vulnerability in Contao before 3.2.19, and 3.4.x before 3.4.4 allows remote authenticated "back end" users to view files outside their file mounts or the document root via unspecified vectors.
- affected >= 3.0.0, < 3.5.15fixed 3.5.15
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "j