Security advisories

Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.

2018

Viewing unauthorized records in the back end

2018-12-13 14:12 by Leo Feyer

Date: 2018-12-13
CVE ID: CVE-2018-20028

Logged in back end users can view records which have not been enabled for them. The problem affects all Contao versions and has been fixed in Contao 3.5.37, 4.4.31 and 4.6.11.

Arbitrary code execution in TCPDF

2018-09-18 10:29 by Leo Feyer

Date: 2018-09-18
CVE ID: CVE-2018-17057

A vulnerability in TCPDF allows for arbitrary code execution. The problem affects all Contao versions and has been fixed in Contao 3.5.36, 4.4.25 and 4.6.4.

Cross site scripting in the system log

2018-04-18 09:23 by Leo Feyer

Date: 2018-04-18
CVE ID: CVE-2018-10125

The system log is vulnerable to cross site scripting in the back end. The problem affects all Contao versions and has been fixed in Contao 3.5.34, 4.4.17 and 4.5.7.

SQL injection in the newsletter module

2018-01-18 09:36 by Leo Feyer

Date: 2018-01-18
CVE ID: CVE-2018-5478

The newsletter module "unsubscribe" is vulnerable to SQL injections. The problem affects all Contao versions and has been fixed in Contao 3.5.31.