Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.
Arbitrary code execution in TCPDF
CVE ID: CVE-2018-17057
CVE-2018-17057 identifies a security vulnerability in TCPDF, which also affects Contao. Through a manipulated image file, a logged in back end user can implant arbitrary code which is executed when an article is exported as PDF in the front end.
The vulnerability has been fixed in TCPDF 6.2.22.
Contao 3.* up to 3.5.35
Contao 4.4 up to 4.4.34
Contao 4.6 up to 4.6.3
Update to TCPDF 6.2.22 or Contao 3.5.36, 4.4.25 or 4.6.4.
Back to the overview.