517 matches found
CVE-2025-29790
Contao is an Open Source CMS. Users can upload SVG files with malicious code, which is then executed in the back end and/or front end. This vulnerability is fixed in Contao 4.13.54, 5.3.30, or 5.5.6...
Cross-site Scripting (XSS)
Overview contao/core-bundle is an Open Source PHP Content Management System for people who want a professional website that is easy to maintain. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the uploadTo function in FileUpload.php. An attacker can execute scripts...
Contao Vulnerable to Cross-Site Scripting (XSS) through SVG uploads
Impact Users can upload SVG files with malicious code, which is then executed in the back end and/or front end. Patches Update to Contao 4.13.54, 5.3.30 or 5.5.6. Workarounds Remove svg,svgz from the allowed upload file types in the system settings and from contao.editablefiles in the config.yaml...
GHSA-VQQR-FGMH-F626 Contao Vulnerable to Cross-Site Scripting (XSS) through SVG uploads
Impact Users can upload SVG files with malicious code, which is then executed in the back end and/or front end. Patches Update to Contao 4.13.54, 5.3.30 or 5.5.6. Workarounds Remove svg,svgz from the allowed upload file types in the system settings and from contao.editablefiles in the config.yaml...
CVE-2025-29790
Contao is an Open Source CMS. Users can upload SVG files with malicious code, which is then executed in the back end and/or front end. This vulnerability is fixed in Contao 4.13.54, 5.3.30, or 5.5.6...
CVE-2025-29790 Contao allows cross-site scripting through SVG uploads
Contao is an Open Source CMS. Users can upload SVG files with malicious code, which is then executed in the back end and/or front end. This vulnerability is fixed in Contao 4.13.54, 5.3.30, or 5.5.6...
CVE-2025-29790 Contao allows cross-site scripting through SVG uploads
Contao is an Open Source CMS. Users can upload SVG files with malicious code, which is then executed in the back end and/or front end. This vulnerability is fixed in Contao 4.13.54, 5.3.30, or 5.5.6...
CVE-2025-29790
Contao CMS is affected by a Cross‑Site Scripting (XSS) vulnerability triggered by uploading SVG files containing malicious code, which can be executed in backend or frontend contexts. Affected versions are not specified in the initial document, but remediation is provided: upgrade to Contao 4.13....
CVE-2025-29790 Contao allows cross-site scripting through SVG uploads
Contao is an Open Source CMS. Users can upload SVG files with malicious code, which is then executed in the back end and/or front end. This vulnerability is fixed in Contao 4.13.54, 5.3.30, or 5.5.6...
Contao 跨站脚本漏洞
Contao is Contao open source a set of open source content management system CMS developed using PHP. The system supports search engines, rights management, and CSS frameworks. Contao suffers from a cross-site scripting vulnerability that stems from the fact that users can upload SVG files...
CVE-2021-37626
Contao is an open source CMS that allows you to create websites and scalable web applications. In affected versions it is possible to load PHP files by entering insert tags in the Contao back end. Installations are only affected if they have untrusted back end users who have the rights to modify...
CVE-2021-37627
Contao is an open source CMS that allows creation of websites and scalable web applications. In affected versions it is possible to gain privileged rights in the Contao back end. Installations are only affected if they have untrusted back end users who have access to the form generator. All users...
CVE-2022-24899
Contao is a powerful open source CMS that allows you to create professional websites and scalable web applications. In versions of Contao prior to 4.13.3 it is possible to inject code into the canonical tag. As a workaround users may disable canonical tags in the root page settings...
CVE-2024-45398
Contao is an Open Source CMS. In affected versions a back end user with access to the file manager can upload malicious files and execute them on the server. Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to update are advised to configure their web server so it does...
Cross-site Scripting (XSS)
Contao is vulnerable to stored Cross-site Scripting XSS. The vulnerability is due to improper validation of SVG file uploads, allowing an authenticated admin to upload a file containing malicious JavaScript that can be executed when accessed through the website...
Duplicate Advisory: Contao allows admin an account to upload SVG file containing malicious JavaScript
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vqqr-fgmh-f626. This link is maintained to preserve external references. Original Description Contao 5.4.1 allows an authenticated admin account to upload a SVG file containing malicious javascript code into the...
GHSA-MRW8-5368-PHM3 Duplicate Advisory: Contao allows admin an account to upload SVG file containing malicious JavaScript
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vqqr-fgmh-f626. This link is maintained to preserve external references. Original Description Contao 5.4.1 allows an authenticated admin account to upload a SVG file containing malicious javascript code into the...
CVE-2024-45965
Contao before 5.5.6 allows XSS via an SVG document. This affects in contao/core-bundle in Composer 4.x before 4.13.54, 5.0.x through 5.3.x before 5.3.30, and 5.4.x and 5.5..x before 5.5.6...
Contao 代码问题漏洞
Contao is an open source Content Management System CMS developed in PHP by Contao Open Source. The system supports search engines, rights management and CSS frameworks. A security vulnerability exists in Contao version 5.4.1. The vulnerability is exploited by attackers to perform cross-site...
CVE-2024-45965
Contao before 5.5.6 allows XSS via an SVG document. This affects in contao/core-bundle in Composer 4.x before 4.13.54, 5.0.x through 5.3.x before 5.3.30, and 5.4.x and 5.5..x before 5.5.6...