Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.
Session invalidation upon password changes
CVE ID: CVE-2019-10641
Security researcher Ali Razzaq has discovered that existing sessions are not correctly invalidated when a user changes their password in the back end or front end.
Contao 3.* up to 3.5.38
Contao 4.4 up to 4.4.36
Contao 4.7 up to 4.7.2
Update to Contao 3.5.39, 4.4.37 or 4.7.3.
Back to the overview.