Security advisories

Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.

Insert tag injection via canonical URLs

by Leo Feyer

Date: 2024-09-17
CVE ID: CVE-2024-45612

It is possible to inject insert tags in canonical URLs which will be replaced when the page is rendered.

Read more …

Directory traversal in the FileSelector widget

by Leo Feyer

Date: 2024-09-17
CVE ID: CVE-2024-45604

Back end users can list files outside their file mounts or the document root in the FileSelector widget.

Read more …

Remote command execution through file uploads

by Leo Feyer

Date: 2024-09-17
CVE ID: CVE-2024-45398

Back end users with access to the file manager can upload malicious files and execute them on the server.

Read more …

Session cookie disclosure in the crawler

by Leo Feyer

Date: 2024-04-09
CVE ID: CVE-2024-28235

If the crawler is set to crawl protected pages, it sends the cookie header to externals URLs.

Read more …

Cross site scripting in the file manager

by Leo Feyer

Date: 2024-04-09
CVE ID: CVE-2024-28190

Users can insert malicious code into file names when uploading files, which is then executed in tooltips and popups in the back end.

Read more …

Insert tag injection via the form generator

by Leo Feyer

Date: 2024-04-09
CVE ID: CVE-2024-28191

It is possible to inject insert tags via the form generator if the submitted form data is output on the page in a specific way.

Read more …

Remember-me tokens are not cleared after a password change

by Leo Feyer

Date: 2024-04-09
CVE ID: CVE-2024-30262

When a front end member changes their password, the corresponding remember-me tokens are not removed.

Read more …

Insufficient BBCode sanitization

by Leo Feyer

Date: 2024-04-09
CVE ID: CVE-2024-28234

If BBCode is enabled for comments, users can inject CSS styles.

Read more …

Cross site scripting in widgets with units

by Leo Feyer

Date: 2023-07-25
CVE ID: CVE-2023-36806

Authenticated users can inject malicious code in widgets with units.

Read more …

Directory traversal in the file manager

by Leo Feyer

Date: 2023-04-25
CVE ID: CVE-2023-29200

Authenticated users in the back end can list files outside the document root in the file manager.

Read more …