Contao Core-Bundle vulnerabilities
31 known vulnerabilities affecting contao/core-bundle.
Total CVEs
31
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH7MEDIUM18LOW2
Vulnerabilities
Page 2 of 2
CVE-2019-10643CRITICAL≥ 4.7.0, < 4.7.32022-05-13
CVE-2019-10643 [CRITICAL] CWE-287 Contao Does Not Expire Tokens Correctly
Contao Does Not Expire Tokens Correctly
Security researcher Ali Razzaq has discovered that confirming an opt-in token does not invalidate previous opt-in tokens in Contao 4.7.
ghsaosv
CVE-2017-10993HIGH≥ 4.0.0, < 4.4.12022-05-13
CVE-2017-10993 [HIGH] CWE-22 Contao Core directory traversal vulnerability
Contao Core directory traversal vulnerability
A logged in back end user can include arbitrary PHP files by manipulating an URL parameter. Since Contao does not allow to upload PHP files in the file manager, the attack is limited to the existing PHP files on the server.
ghsaosv
CVE-2018-10125MEDIUM≥ 4.0.0, < 4.4.18≥ 4.5.0, < 4.5.8+1 more2022-02-10
CVE-2018-10125 [MEDIUM] CWE-79 Cross-site Scripting in Contao
Cross-site Scripting in Contao
Contao before 4.5.7 has XSS in the system log.
ghsaosv
CVE-2021-35955MEDIUM≥ 4.0.0, < 4.4.56≥ 4.5.0, < 4.9.18+1 more2021-08-25
CVE-2021-35955 [MEDIUM] CWE-79 Cross site scripting via HTML attributes in the back end
Cross site scripting via HTML attributes in the back end
### Impact
It is possible for untrusted users to inject malicious code into HTML attributes in the back end, which will be executed both in the element preview (back end) and on the website (front end).
Installations are only affected if there are untrusted back end users who have the rights to modify HTML fields (e.g. TinyMCE).
### Patches
Update
ghsaosv
CVE-2021-37627HIGH≥ 4.0.0, < 4.4.56≥ 4.5.0, < 4.9.18+1 more2021-08-23
CVE-2021-37627 [HIGH] CWE-269 Privilege escalation via form generator
Privilege escalation via form generator
### Impact
It is possible for untrusted users to gain administrator rights with the form generator.
Installations are only affected if there are untrusted back end users with access to the form generator.
### Patches
Update to Contao 4.4.56, 4.9.18 or 4.11.7.
### Workarounds
Disable the form generator or disable the login for untrusted back end users.
### References
https://cont
ghsaosv
CVE-2021-37626MEDIUM≥ 4.0.0, < 4.4.56≥ 4.5.0, < 4.9.18+1 more2021-08-23
CVE-2021-37626 [MEDIUM] CWE-94 PHP file inclusion via insert tags
PHP file inclusion via insert tags
### Impact
It is possible for untrusted users to load arbitrary PHP files via insert tags.
Installations are only affected if there are untrusted back end users.
### Patches
Update to Contao 4.4.56, 4.9.18 or 4.11.7.
### Workarounds
Disable the login for untrusted back end users.
### References
https://contao.org/en/security-advisories/php-file-inclusion-via-insert-tags
### For more inf
ghsaosv
CVE-2021-35210MEDIUM≥ 4.5.0, < 4.9.16≥ 4.10.0, < 4.11.52021-07-01
CVE-2021-35210 [MEDIUM] CWE-79 Cross site scripting in the system log
Cross site scripting in the system log
### Impact
It is possible to inject code into the `tl_log` table that will be executed in the browser when the system log is called in the back end.
### Patches
Update to Contao 4.9.16 or 4.11.5.
### Workarounds
Disable the system log module in the back end for all users (especially admin users).
### References
https://contao.org/en/security-advisories/cross-site-scripting-in-the-
ghsaosv
CVE-2020-25768MEDIUM≥ 4.0.0, < 4.4.52≥ 4.5.0, < 4.9.6+1 more2020-09-24
CVE-2020-25768 [MEDIUM] CWE-20 Contao Insert tag injection in forms
Contao Insert tag injection in forms
### Impact
It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.
### Patches
Update to Contao 4.4.52, 4.9.6 or 4.10.1.
### Workarounds
Disable the front end login form and do not use form fields with array keys such as `fieldname[]`.
### References
https://contao.org/en/security-advisories/insert-tag-injection-in-forms
### For more
ghsaosv
CVE-2019-19745HIGH≥ 4.0.0, < 4.4.46≥ 4.5.0, < 4.8.62019-12-17
CVE-2019-19745 [HIGH] CWE-434 Unrestricted file uploads in Contao
Unrestricted file uploads in Contao
### Impact
A back end user with access to the form generator can upload arbitrary files and execute them on the server.
### Patches
Update to Contao 4.4.46 or 4.8.6.
### Workarounds
Configure your web server so it does not execute PHP files and other scripts in the Contao file upload directory.
### References
https://contao.org/en/security-advisories/unrestricted-file-uploads
### For mo
ghsaosv
CVE-2019-19714MEDIUM≥ 4.8.4, < 4.8.62019-12-17
CVE-2019-19714 [MEDIUM] CWE-116 Insert tag injection in the Contao login module
Insert tag injection in the Contao login module
### Impact
It is possible to inject insert tags into the login module which will be replaced when the page is rendered.
### Patches
Update to Contao 4.8.6.
### Workarounds
None.
### References
https://contao.org/en/security-advisories/insert-tag-injection-in-the-login-module
### For more information
If you have any questions or comments about this advisory, op
ghsaosv
CVE-2019-19712MEDIUM≥ 4.0.0, < 4.4.46≥ 4.5.0, < 4.8.62019-12-17
CVE-2019-19712 [MEDIUM] CWE-276 Information disclosure in the Contao backend
Information disclosure in the Contao backend
### Impact
Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them.
### Patches
Update to Contao 4.4.46 or 4.8.6.
### Workarounds
None.
### References
https://contao.org/en/security-advisories/information-disclosure-in-the-back-end
### For more information
If you have any questions or comments about this advi
ghsaosv
← Previous2 / 2