Security advisories

Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.

2017

SQL injection in the back end search filter and the listing module

Date: 2017-11-15
CVE ID: CVE-2017-16558

The back end search filter and the listing module are vulnerable to SQL injections. The problem affects all Contao versions as of Contao 4.0 and has been fixed in Contao 4.4.8.

Read more …

PHP file inclusion in the back end

Date: 2017-07-12
CVE ID: CVE-2017-10993

A logged in back end user can include arbitrary existing PHP. The problem affects all Contao versions and has been fixed in Contao 3.5.27 and 4.4.0.

Read more …