Security advisories

Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.

Arbitrary code execution in TCPDF

by Leo Feyer

Date: 2018-09-18
CVE ID: CVE-2018-17057

Description

CVE-2018-17057 identifies a security vulnerability in TCPDF, which also affects Contao. Through a manipulated image file, a logged in back end user can implant arbitrary code which is executed when an article is exported as PDF in the front end.

The vulnerability has been fixed in TCPDF 6.2.22.

Affected versions

Contao 3.* up to 3.5.35
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4 up to 4.4.34
Contao 4.5
Contao 4.6 up to 4.6.3

Suggested solution

Update to TCPDF 6.2.22 or Contao 3.5.36, 4.4.25 or 4.6.4.

Show all security advisories