Security advisories

Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.

SQL injection in the back end search filter and the listing module

Date: 2017-11-15
CVE ID: CVE-2017-16558


Both the search filter in the back end and the listing module in the front end are vulnerable to SQL injections. To exploit the vulnerability in the back end, a back end user has to be logged in, whereas the front end the vulnerability can be exploited by anyone.

Affected versions

Contao 3.* up to 3.5.29
Contao 4.0
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4 up to 4.4.6

Suggested solution

Update to Contao 3.5.30 or 4.4.7.

Show all security advisories