Security advisories
Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.
SQL injection in the file manager
by Leo Feyer
Date: 2019-04-30
CVE ID: CVE-2019-11512
Description
David Wind, penetration tester with A1 Digital, has discovered that the SQL injection vulnerability originally published under CVE-2017-16558 can still be exploited in the file manager in Contao 4. The security vulnerability has the identifier CVE-2019-11512.
Affected versions
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4 up to 4.4.38
Contao 4.5
Contao 4.6
Contao 4.7 up to 4.7.4
Suggested solution
Update to Contao 4.4.39 or 4.7.5.