Security advisories

Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.

Cross site scripting in widgets with units

by Leo Feyer

Date: 2023-07-25
CVE ID: CVE-2023-36806

Authenticated users can inject malicious code in widgets with units.

Read more …

Directory traversal in the file manager

by Leo Feyer

Date: 2023-04-25
CVE ID: CVE-2023-29200

Authenticated users in the back end can list files outside the document root in the file manager.

Read more …

Cross site scripting via canonical URL

by Leo Feyer

Date: 2022-05-05
CVE ID: CVE-2022-24899

Untrusted users can inject malicious code into the canonical tag, which is then executed on the web page (front end).

Read more …

Privilege escalation with the form generator

by Leo Feyer

Date: 2021-08-11
CVE ID: CVE-2021-37627

It is possible for untrusted users to gain administrator rights with the form generator.

Read more …

PHP file inclusion via insert tags

by Leo Feyer

Date: 2021-08-11
CVE ID: CVE-2021-37626

It is possible for untrusted users to load arbitrary PHP files via insert tags.

Read more …

Cross site scripting via HTML attributes in the back end

by Leo Feyer

Date: 2021-08-11
CVE ID: CVE-2021-35955

It is possible for untrusted users to inject malicious code into HTML attributes in the back end, which will be executed both in the element preview (back end) and on the website (front end).

Read more …

Cross site scripting in the system log

by Leo Feyer

Date: 2021-06-23
CVE ID: CVE-2021-35210

It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called. The problem affects all Contao versions as of Contao 4.5 and has been fixed in Contao 4.9.16 and 4.11.5.

Read more …

Insert tag injection in forms

by Leo Feyer

Date: 2020-09-24
CVE ID: CVE-2020-25768

It is possible to inject insert tags in front end forms which will be replaced when the page is rendered. The problem affects all Contao versions as of Contao 4.0 and has been fixed in Contao 4.4.52, 4.9.6 and 4.10.1.

Read more …

Insert tag injection in the login module

by Leo Feyer

Date: 2019-12-17
CVE ID: CVE-2019-19714

It is possible to inject insert tags into the login module which will be replaced when the page is rendered. The problem affects Contao 4.8.4 and 4.8.5 and has been fixed in Contao 4.8.6.

Read more …

Information disclosure in the back end

by Leo Feyer

Date: 2019-12-17
CVE ID: CVE-2019-19712

Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them. The problem affects all Contao versions as of Contao 4.0 and has been fixed in Contao 4.4.46 and 4.8.6.

Read more …