Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.
SQL injection in the back end search filter and the listing module
CVE ID: CVE-2017-16558
Both the search filter in the back end and the listing module in the front end are vulnerable to SQL injections. To exploit the vulnerability in the back end, a back end user has to be logged in, whereas the front end the vulnerability can be exploited by anyone.
Contao 3.* up to 3.5.29
Contao 4.4 up to 4.4.6
Update to Contao 3.5.30 or 4.4.7.
Back to the overview.