Security advisories

Here you will find a list of vulnerabilities that have already been found and fixed in Contao.

Arbitrary code execution in TCPDF

Date: 2018-09-18
CVE ID: CVE-2018-17057

Description

CVE-2018-17057 identifies a security vulnerability in TCPDF, which also affects Contao. Through a manipulated image file, a logged in back end user can implant arbitrary code which is executed when an article is exported as PDF in the front end.

The vulnerability has been fixed in TCPDF 6.2.22.

Affected versions

Contao 3.5 up to 3.5.35
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4 up to 4.4.34
Contao 4.5
Contao 4.6 up to 4.6.3

Suggested solution

Update to TCPDF 6.2.22 or Contao 3.5.36, 4.4.25 or 4.6.4.

Back to the overview.

Security policy

If you think that you have found a se­cu­ri­ty is­sue in Con­tao, please re­port it ac­cor­ding to our se­cu­ri­ty poli­cy.