6 matches found
CVE-2019-19745
Contao 4.0 through 4.8.5 allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server...
Directory traversal in the file manager
Date : 2023-04-25 CVE ID : CVE-2023-29200 Authenticated users in the back end can list files outside the document root in the file manager. However, it is not possible to read the contents of these files. Thanks to Daniel Barros for reporting the problem. Affected versions Contao 4.0 Contao 4.1...
Cross site scripting via HTML attributes in the back end
Date : 2021-08-11 CVE ID : CVE-2021-35955 Description It is possible for untrusted users to inject malicious code into HTML attributes in the back end, which will be executed both in the element preview back end and on the website front end. Installations are only affected if there are untrusted...
PHP file inclusion via insert tags
Date : 2021-08-11 CVE ID : CVE-2021-37626 Description It is possible for untrusted users to load arbitrary PHP files via insert tags. Installations are only affected if there are untrusted back end users. Affected versions Contao 4.0 Contao 4.1 Contao 4.2 Contao 4.3 Contao 4.4 up to 4.4.55 Contao...
CVE-2019-19712
Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them...
Information disclosure in the back end
Date : 2019-12-17 CVE ID : CVE-2019-19712 Description Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them. Affected versions Contao 4.0 Contao 4.1 Contao 4.2 Contao 4.3 Contao 4.4 up to 4.4.45 Contao 4.5 Contao 4.6 Contao 4.7 Contao 4....