Search for packages
| purl | pkg:composer/contao/contao@4.8.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-82d1-8yn8-sydv
Aliases: CVE-2021-35955 GHSA-hr3h-x6gq-rqcp |
Cross site scripting via HTML attributes in the back end It is possible for untrusted users to inject malicious code into HTML attributes in the back end, which will be executed both in the element preview (back end) and on the website (front end). Installations are only affected if there are untrusted back end users who have the rights to modify HTML fields (e.g. TinyMCE). |
Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-98fv-kpqs-mybc
Aliases: CVE-2019-19745 GHSA-wjx8-cgrm-hh8p |
Unrestricted Upload of File with Dangerous Type Contao allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server. |
Affected by 6 other vulnerabilities. |
|
VCID-ah8s-8q49-8qbw
Aliases: CVE-2019-19712 GHSA-4mvc-qc5w-v5qr |
Incorrect Default Permissions Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them. |
Affected by 6 other vulnerabilities. |
|
VCID-azpb-eq6c-e7bw
Aliases: CVE-2021-35210 GHSA-h58v-c6rf-g9f7 |
Cross site scripting in the system log It is possible to inject code into the `tl_log` table that will be executed in the browser when the system log is called in the back end. |
Affected by 6 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-rgvt-jwf2-9fbr
Aliases: CVE-2024-45965 GHSA-mrw8-5368-phm3 |
Duplicate Advisory: Contao allows admin an account to upload SVG file containing malicious JavaScript ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vqqr-fgmh-f626. This link is maintained to preserve external references. ## Original Description Contao 5.4.1 allows an authenticated admin account to upload a SVG file containing malicious javascript code into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted javascript to the target. |
Affected by 4 other vulnerabilities. |
|
VCID-rj3d-jeyz-vye5
Aliases: CVE-2021-37627 GHSA-hq5m-mqmx-fw6m |
Improper Privilege Management Contao is an open source CMS that allows creation of websites and scalable web applications.All users are advised to update to Contao As a workaround users may disable the form generator or disable the login for untrusted back end users. |
Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-t2u3-tgg3-cbb9
Aliases: CVE-2021-37626 GHSA-r6mv-ppjc-4hgr |
Code Injection Contao is an open source CMS that allows you to create websites and scalable web applications.Update to Contao to resolve. If you cannot update then disable the login for untrusted back end users. |
Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-u6sk-25yd-e7b2
Aliases: CVE-2020-25768 GHSA-f7wm-x4gw-6m23 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert tags in front end forms which will be replaced when the page is rendered. |
Affected by 6 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||