Packagist (Composer) package
contao/core-bundle
pkg:composer/contao/core-bundle
Vulnerabilities (31)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-25768 | — | >= 4.0.0, < 4.4.52 | 4.4.52 | Oct 7, 2020 | Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert tags in front end forms which will be replaced when the page is rendered. | ||
| CVE-2018-10125 | — | >= 4.0.0, < 4.4.18 | 4.4.18 | Mar 16, 2020 | Contao before 4.5.7 has XSS in the system log. | ||
| CVE-2019-19745 | — | >= 4.0.0, < 4.4.46 | 4.4.46 | Dec 17, 2019 | Contao 4.0 through 4.8.5 allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server. | ||
| CVE-2019-19714 | — | >= 4.8.4, < 4.8.6 | 4.8.6 | Dec 17, 2019 | Contao 4.8.4 and 4.8.5 has Improper Encoding or Escaping of Output. It is possible to inject insert tags into the login module which will be replaced when the page is rendered. | ||
| CVE-2019-19712 | — | >= 4.0.0, < 4.4.46 | 4.4.46 | Dec 17, 2019 | Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them. | ||
| CVE-2019-11512 | — | >= 4.1.0, < 4.4.39 | 4.4.39 | Jul 9, 2019 | Contao 4.x allows SQL Injection. Fixed in Contao 4.4.39 and Contao 4.7.5. | ||
| CVE-2017-16558 | — | >= 4.0.0, < 4.4.8 | 4.4.8 | Apr 25, 2019 | Contao 3.0.0 to 3.5.30 and 4.0.0 to 4.4.7 contains an SQL injection vulnerability in the back end as well as in the listing module. | ||
| CVE-2019-10642 | — | >= 4.7.0, < 4.7.3 | 4.7.3 | Apr 17, 2019 | Contao 4.7 allows CSRF. | ||
| CVE-2019-10643 | — | >= 4.7.0, < 4.7.3 | 4.7.3 | Apr 17, 2019 | Contao 4.7 allows Use of a Key Past its Expiration Date. | ||
| CVE-2019-10641 | — | >= 4.0.0, < 4.4.37 | 4.4.37 | Apr 17, 2019 | Contao before 3.5.39 and 4.x before 4.7.3 has a Weak Password Recovery Mechanism for a Forgotten Password. | ||
| CVE-2017-10993 | Hig | 8.8 | >= 4.0.0, < 4.4.1 | 4.4.1 | Jul 21, 2017 | Contao before 3.5.28 and 4.x before 4.4.1 allows remote attackers to include and execute arbitrary local PHP files via a crafted parameter in a URL, aka Directory Traversal. |
- CVE-2020-25768Oct 7, 2020affected >= 4.0.0, < 4.4.52fixed 4.4.52
Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.
- CVE-2018-10125Mar 16, 2020affected >= 4.0.0, < 4.4.18fixed 4.4.18
Contao before 4.5.7 has XSS in the system log.
- CVE-2019-19745Dec 17, 2019affected >= 4.0.0, < 4.4.46fixed 4.4.46
Contao 4.0 through 4.8.5 allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server.
- CVE-2019-19714Dec 17, 2019affected >= 4.8.4, < 4.8.6fixed 4.8.6
Contao 4.8.4 and 4.8.5 has Improper Encoding or Escaping of Output. It is possible to inject insert tags into the login module which will be replaced when the page is rendered.
- CVE-2019-19712Dec 17, 2019affected >= 4.0.0, < 4.4.46fixed 4.4.46
Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them.
- CVE-2019-11512Jul 9, 2019affected >= 4.1.0, < 4.4.39fixed 4.4.39
Contao 4.x allows SQL Injection. Fixed in Contao 4.4.39 and Contao 4.7.5.
- CVE-2017-16558Apr 25, 2019affected >= 4.0.0, < 4.4.8fixed 4.4.8
Contao 3.0.0 to 3.5.30 and 4.0.0 to 4.4.7 contains an SQL injection vulnerability in the back end as well as in the listing module.
- CVE-2019-10642Apr 17, 2019affected >= 4.7.0, < 4.7.3fixed 4.7.3
Contao 4.7 allows CSRF.
- CVE-2019-10643Apr 17, 2019affected >= 4.7.0, < 4.7.3fixed 4.7.3
Contao 4.7 allows Use of a Key Past its Expiration Date.
- CVE-2019-10641Apr 17, 2019affected >= 4.0.0, < 4.4.37fixed 4.4.37
Contao before 3.5.39 and 4.x before 4.7.3 has a Weak Password Recovery Mechanism for a Forgotten Password.
- affected >= 4.0.0, < 4.4.1fixed 4.4.1
Contao before 3.5.28 and 4.x before 4.4.1 allows remote attackers to include and execute arbitrary local PHP files via a crafted parameter in a URL, aka Directory Traversal.
Page 2 of 2