Security advisories
Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.
Arbitrary code execution in TCPDF
by Leo Feyer
Date: 2018-09-18
CVE ID: CVE-2018-17057
Description
CVE-2018-17057 identifies a security vulnerability in TCPDF, which also affects Contao. Through a manipulated image file, a logged in back end user can implant arbitrary code which is executed when an article is exported as PDF in the front end.
The vulnerability has been fixed in TCPDF 6.2.22.
Affected versions
Contao 3.* up to 3.5.35
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4 up to 4.4.34
Contao 4.5
Contao 4.6 up to 4.6.3
Suggested solution
Update to TCPDF 6.2.22 or Contao 3.5.36, 4.4.25 or 4.6.4.