Security advisories

Here you will find a list of vulnerabilities that have already been found and fixed in Contao.

2018

Date: 2018-12-13
CVE ID: CVE-2018-20028

Logged in back end users can view records which have not been enabled for them. The problem affects all Contao versions and has been fixed in Contao 3.5.37, 4.4.31 and 4.6.11.

Date: 2018-09-18
CVE ID: CVE-2018-17057

A vulnerability in TCPDF allows for arbitrary code execution. The problem affects all Contao versions and has been fixed in Contao 3.5.36, 4.4.25 and 4.6.4.

Date: 2018-04-18
CVE ID: CVE-2018-10125

The system log is vulnerable to cross site scripting in the back end. The problem affects all Contao versions and has been fixed in Contao 3.5.34, 4.4.17 and 4.5.7.

Security policy

If you think that you have found a se­cu­ri­ty is­sue in Con­tao, please re­port it ac­cor­ding to our se­cu­ri­ty poli­cy.