Security advisories

Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.

Bypassing the request token check

Date: 2019-04-09
CVE ID: CVE-2019-10642

The request token check can be bypassed. The problem affects Contao 4.7 and has been fixed in Contao 4.7.3.

Read more …

Session invalidation upon password changes

Date: 2019-04-09
CVE ID: CVE-2019-10641

User sessions are not invalidated if a user changes their password. The problem affects all Contao versions and has been fixed in Contao 3.5.39, 4.4.37 and 4.7.3.

Read more …

Viewing unauthorized records in the back end

Date: 2018-12-13
CVE ID: CVE-2018-20028

Logged in back end users can view records which have not been enabled for them. The problem affects all Contao versions and has been fixed in Contao 3.5.37, 4.4.31 and 4.6.11.

Read more …

Arbitrary code execution in TCPDF

Date: 2018-09-18
CVE ID: CVE-2018-17057

A vulnerability in TCPDF allows for arbitrary code execution. The problem affects all Contao versions and has been fixed in Contao 3.5.36, 4.4.25 and 4.6.4.

Read more …

Cross site scripting in the system log

Date: 2018-04-18
CVE ID: CVE-2018-10125

The system log is vulnerable to cross site scripting in the back end. The problem affects all Contao versions and has been fixed in Contao 3.5.34, 4.4.17 and 4.5.7.

Read more …

SQL injection in the newsletter module

Date: 2018-01-18
CVE ID: CVE-2018-5478

The newsletter module "unsubscribe" is vulnerable to SQL injections. The problem affects all Contao versions and has been fixed in Contao 3.5.31.

Read more …

SQL injection in the back end search filter and the listing module

Date: 2017-11-15
CVE ID: CVE-2017-16558

The back end search filter and the listing module are vulnerable to SQL injections. The problem affects all Contao versions as of Contao 4.0 and has been fixed in Contao 4.4.8.

Read more …

PHP file inclusion in the back end

Date: 2017-07-12
CVE ID: CVE-2017-10993

A logged in back end user can include arbitrary existing PHP. The problem affects all Contao versions and has been fixed in Contao 3.5.27 and 4.4.0.

Read more …

Directory traversal in the back end

Date: 2015-02-12
CVE ID: CVE-2015-0269

Back end users can list files outside their file mounts or the document root. The problem affects all Contao versions and has been fixed in Contao 3.4.4.

Read more …