Lucene search
K

517 matches found

CNNVD
CNNVD
added 2025/08/28 12:0 a.m.14 views

Contao 安全漏洞

Contao is an open source Content Management System CMS developed in PHP by Contao Open Source. The system supports search engines, rights management, and CSS frameworks. A security vulnerability exists in Contao version 5.3.38 and versions prior to 5.6.1, which stems from the possibility of...

4.3CVSS6.5AI score0.00225EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2025/05/23 10:35 a.m.8 views

CVE-2024-47069

Oveleon Cookie Bar is a cookie bar is for the Contao Open Source CMS and allows a visitor to define cookie & privacy settings for the website. Prior to versions 1.16.3 and 2.1.3, the block/locale endpoint does not properly sanitize the user-controlled locale input before including it in the...

6.1CVSS6.4AI score0.00423EPSS
Exploits1
RedhatCVE
RedhatCVE
added 2025/05/23 10:34 a.m.7 views

CVE-2024-45604

Contao is an Open Source CMS. In affected versions authenticated users in the back end can list files outside the document root in the file selector widget. Users are advised to update to Contao 4.13.49. There are no known workarounds for this vulnerability...

4.3CVSS6.6AI score0.00427EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2025/05/23 10:34 a.m.6 views

CVE-2024-45612

Contao is an Open Source CMS. In affected versions an untrusted user can inject insert tags into the canonical tag, which are then replaced on the web page front end. Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to upgrade should disable canonical tags in the root...

5.3CVSS6.8AI score0.00298EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2025/05/23 10:10 a.m.9 views

CVE-2024-28191

Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, it is possible to inject insert tags in frontend forms if the output is structured in a very specific way. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a...

5.4CVSS6.6AI score0.00497EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 9:16 a.m.5 views

CVE-2024-30262

Contao is an open source content management system. Prior to version 4.13.40, when a frontend member changes their password in the personal data or the password lost module, the corresponding remember-me tokens are not removed. If someone compromises an account and is able to get a remember-me...

7.1CVSS7AI score0.00495EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 7:46 a.m.7 views

CVE-2024-28234

Contao is an open source content management system. Starting in version 2.0.0 and prior to versions 4.13.40 and 5.3.4, it is possible to inject CSS styles via BBCode in comments. Installations are only affected if BBCode is enabled. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. A...

4.7CVSS6.7AI score0.00572EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 7:45 a.m.14 views

CVE-2024-28235

Contao is an open source content management system. Starting in version 4.9.0 and prior to versions 4.13.40 and 5.3.4, when checking for broken links on protected pages, Contao sends the cookie header to external urls as well, the passed options for the http client are used for all requests. Cont...

8.3CVSS6.7AI score0.00708EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 7:45 a.m.15 views

CVE-2024-28190

Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can inject malicious code in filenames when uploading files back end and front end, which is then executed in tooltips and popups in the back end. Contao versions 4.13.40 an...

5.4CVSS6.9AI score0.00502EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 5:31 a.m.7 views

CVE-2023-29200

Contao is an open source content management system. Prior to versions 4.9.40, 4.13.21, and 5.1.4, logged in users can list arbitrary system files in the file manager by manipulating the Ajax request. However, it is not possible to read the contents of these files. Users should update to Contao...

6.5CVSS6.6AI score0.00797EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 8:36 p.m.5 views

CVE-2021-35210

Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tllog table that will be executed in the browser when the system log is called in the back end...

6.1CVSS6.4AI score0.0074EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 7:55 p.m.5 views

CVE-2021-35955

Contao =4.0.0 allows backend XSS via HTML attributes to an HTML field. Fixed in 4.4.56, 4.9.18, 4.11.7...

4.8CVSS5.6AI score0.00557EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 8:41 a.m.4 views

CVE-2019-19712

Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them...

5.3CVSS6.8AI score0.0088EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 8:26 a.m.5 views

CVE-2019-19714

Contao 4.8.4 and 4.8.5 has Improper Encoding or Escaping of Output. It is possible to inject insert tags into the login module which will be replaced when the page is rendered...

5.3CVSS6.7AI score0.00819EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 8:25 a.m.5 views

CVE-2019-19745

Contao 4.0 through 4.8.5 allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server...

8.8CVSS7.1AI score0.01108EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 7:59 a.m.12 views

CVE-2018-5478

Contao 3.x before 3.5.32 allows XSS via the unsubscribe module in the frontend newsletter extension...

6.1CVSS5.8AI score0.00411EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 6:10 a.m.5 views

CVE-2012-4383

contao prior to 2.11.4 has a sql injection vulnerability...

8.8CVSS7.1AI score0.00919EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 5:41 a.m.3 views

CVE-2014-1860

Contao CMS through 3.2.4 has PHP Object Injection Vulnerabilities...

9.8CVSS7.3AI score0.03648EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2025/03/24 8:18 p.m.7 views

CVE-2024-45965

Contao before 5.5.6 allows XSS via an SVG document. This affects in contao/core-bundle in Composer 4.x before 4.13.54, 5.0.x through 5.3.x before 5.3.30, and 5.4.x and 5.5..x before 5.5.6...

6.4CVSS6AI score0.00318EPSS
Exploits1References1
Veracode
Veracode
added 2025/03/21 4:48 a.m.6 views

Cross-site Scripting (XSS)

Contao is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper file validation due to users being able to upload SVG files containing malicious code, which can be executed in the back end and/or front end...

5.4CVSS6.2AI score0.00203EPSS
Exploits0References4Affected Software1
Rows per page
Query Builder