Security advisories

Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.

Date: 2019-12-17
CVE ID: CVE-2019-19714

It is possible to inject insert tags into the login module which will be replaced when the page is rendered. The problem affects Contao 4.8.4 and 4.8.5 and has been fixed in Contao 4.8.6.

Date: 2019-12-17
CVE ID: CVE-2019-19712

Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them. The problem affects all Contao versions as of Contao 4.0 and has been fixed in Contao 4.4.46 and 4.8.6.

Date: 2019-12-17
CVE ID: CVE-2019-19745

A back end user with access to the form generator can upload arbitrary files and execute them on the server. The problem affects all Contao versions as of Contao 4.0 and has been fixed in Contao 4.4.46 and 4.8.6.

Date: 2019-04-30
CVE ID: CVE-2019-11512

The search menu of the file manager is vulnerable to SQL injections. The problem affects all Contao versions as of Contao 4.1 and has been fixed in Contao 4.4.39 and 4.7.5.

Date: 2019-04-09
CVE ID: CVE-2019-10643

Confirming an opt-in token does not invalidate previous opt-in tokens. The problem affects Contao 4.7 and has been fixed in Contao 4.7.3.

Date: 2019-04-09
CVE ID: CVE-2019-10642

The request token check can be bypassed. The problem affects Contao 4.7 and has been fixed in Contao 4.7.3.

Date: 2019-04-09
CVE ID: CVE-2019-10641

User sessions are not invalidated if a user changes their password. The problem affects all Contao versions and has been fixed in Contao 3.5.39, 4.4.37 and 4.7.3.

Date: 2018-12-13
CVE ID: CVE-2018-20028

Logged in back end users can view records which have not been enabled for them. The problem affects all Contao versions and has been fixed in Contao 3.5.37, 4.4.31 and 4.6.11.

Date: 2018-09-18
CVE ID: CVE-2018-17057

A vulnerability in TCPDF allows for arbitrary code execution. The problem affects all Contao versions and has been fixed in Contao 3.5.36, 4.4.25 and 4.6.4.

Date: 2018-04-18
CVE ID: CVE-2018-10125

The system log is vulnerable to cross site scripting in the back end. The problem affects all Contao versions and has been fixed in Contao 3.5.34, 4.4.17 and 4.5.7.