Contao 3.0.0 to 3.5.30 and 4.0.0 to 4.4.7 contains an SQL injection vulnerability in the backend as well as in the listing module.
contao.org/de/changelog/versions/4.4.html
contao.org/en/news/contao-4_4_8.html
github.com/contao/contao/blob/4.4.57/CHANGELOG.md#448-2017-11-15
github.com/contao/contao/commit/501cb3cd34d61089b94e7ed78da53977bc71fc3e
github.com/contao/contao/commit/6b4a2711edf166c85cfd7a53fed6aea56d4f0544
github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2017-16558.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2017-16558.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/contao/listing-bundle/CVE-2017-16558.yaml
nvd.nist.gov/vuln/detail/CVE-2017-16558