Security advisories
Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.
Cross site scripting in the system log
by Leo Feyer
Date: 2018-04-18
CVE ID: CVE-2018-10125
Description
With a manipulated request, an attacker can implant a script which is executed when a logged in back end user opens the system log. The attacker does not have to be logged in.
Affected versions
Contao 3.* up to 3.5.33
Contao 4.0
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4 up to 4.4.16
Contao 4.5 up to 4.5.6
Suggested solution
Update to Contao 3.5.34, 4.4.17 or 4.5.7.