CVE-2021-37626

Contao is an open source CMS that allows you to create websites and scalable web applications. In affected versions it is possible to load PHP files by entering insert tags in the Contao back end. Installations are only affected if they have untrusted back end users who have the rights to modify...

Privilege escalation via form generator

Impact It is possible for untrusted users to gain administrator rights with the form generator. Installations are only affected if there are untrusted back end users with access to the form generator. Patches Update to Contao 4.4.56, 4.9.18 or 4.11.7. Workarounds Disable the form generator or...

PHP file inclusion via insert tags

Impact It is possible for untrusted users to load arbitrary PHP files via insert tags. Installations are only affected if there are untrusted back end users. Patches Update to Contao 4.4.56, 4.9.18 or 4.11.7. Workarounds Disable the login for untrusted back end users. References...

CVE-2021-35955

Contao =4.0.0 allows backend XSS via HTML attributes to an HTML field. Fixed in 4.4.56, 4.9.18, 4.11.7...