Cross-site Scripting (XSS)

Overview contao/core-bundle is an Open Source PHP Content Management System for people who want a professional website that is easy to maintain. Affected versions of this package are vulnerable to Cross-site Scripting XSS via template output. An attacker can execute arbitrary scripts in the brows...

Insufficient Type Distinction

Overview contao/core-bundle is an Open Source PHP Content Management System for people who want a professional website that is easy to maintain. Affected versions of this package are vulnerable to Insufficient Type Distinction in the Template::once method. Backend users with sufficient privileges...

Incorrect Authorization

Overview contao/core-bundle is an Open Source PHP Content Management System for people who want a professional website that is easy to maintain. Affected versions of this package are vulnerable to Incorrect Authorization due to table access voter improper verification of a user permissions to...

Incorrect Authorization

Overview contao/core-bundle is an Open Source PHP Content Management System for people who want a professional website that is easy to maintain. Affected versions of this package are vulnerable to Incorrect Authorization in the fragments rendering process. An attacker can access sensitive...

Incorrect Authorization

Overview contao/core-bundle is an Open Source PHP Content Management System for people who want a professional website that is easy to maintain. Affected versions of this package are vulnerable to Incorrect Authorization in the page and article edit fields. An attacker can modify content without...

Cross-site Scripting (XSS)

Overview contao/core-bundle is an Open Source PHP Content Management System for people who want a professional website that is easy to maintain. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the uploadTo function in FileUpload.php. An attacker can execute scripts...

Directory Traversal

contao/core-bundle is vulnerable to Directory Traversal. The vulnerability is due to insufficient validation or restriction of file paths in the FileSelector widget, allowing authenticated users to access directories outside the intended document root...

CVE-2024-45398 Remote command execution through file upload in contao/core-bundle

Contao is an Open Source CMS. In affected versions a back end user with access to the file manager can upload malicious files and execute them on the server. Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to update are advised to configure their web server so it does...

Arbitrary Code Execution

contao/core is vulnerable to Arbitrary Code Execution. The vulnerability is due to untrusted POST data being passed to the deserialize function which could result in Arbitrary Code Execution...

GHSA-WQ43-8R5P-W3MC contao/core PHP object injection vulnerability allows for arbitrary code execution

PHP object injection vulnerability was identified in contao/core due to untrusted data being passed to deserialize function...

PT-2024-40514 · Contao · Contao/Core

Name of the Vulnerable Software and Affected Versions: contao/core versions 2.x prior to 2.11.17 contao/core versions 3.x prior to 3.2.9 Description: The issue is related to arbitrary code execution on the server due to insufficient input validation. Attackers can exploit this by entering a...

PT-2024-40504 · Contao · Contao/Core

Name of the Vulnerable Software and Affected Versions: contao/core affected versions not specified Description: A PHP object injection issue was identified due to untrusted data being passed to the deserialize function. Recommendations: At the moment, there is no information about a newer version...

Cross-site Scripting (XSS)

contao/core-bundle is vulnerable to cross-site scriptingXSS attacks. The library does not properly sanitize the user inputs through the canonical tag, allowing an attacker to inject and execute malicious javascript...

Cross-site Scripting (XSS)

contao/core-bundle is vulnerable to cross-site scripting. The vulnerability exists in the prepare function of PageRegular.php, allowing an attacker to inject and execute malicious javascript through the canonical tags...

GHSA-9JQ2-JVWC-P52F Contao core SQL Injection Vulnerability

Contao core prior to 2.11.4 has a SQL injection vulnerability in contao-2.11.3\system\modules\backend\Ajax.php...

Cross-site Scripting (XSS)

contao/core-bundle is vulnerable to cross site scripting. The vulnerability exists due to an insecure tllog table which will execute injected code in the browser when the system log is called in the back end...

SQL Injection

contao/core-bundle is vulnerable to SQL injection. The vulnerability exists in the value of strField in the file manager search filter, which allows a remote attacker to inject and execute arbitrary SQL queries through the affected parameter...

Cross-Site Scripting (XSS)

contao/core is vulnerable to cross-site scripting XSS. A remote attacker is able to inject arbitrary Javascript into a victim's browser via the email parameter in the Newsletter module...

Directory Traversal

contao/core-bundle is vulnerable to directory traversal attacks. A logged in, back-end user can include and exclude local PHP files through URL manipulation...