VulnerableCode Package Details - pkg:composer/contao/core-bundle@4.10.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-82d1-8yn8-sydv Aliases: CVE-2021-35955 GHSA-hr3h-x6gq-rqcp	Cross site scripting via HTML attributes in the back end It is possible for untrusted users to inject malicious code into HTML attributes in the back end, which will be executed both in the element preview (back end) and on the website (front end). Installations are only affected if there are untrusted back end users who have the rights to modify HTML fields (e.g. TinyMCE).	4.11.7 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-azpb-eq6c-e7bw Aliases: CVE-2021-35210 GHSA-h58v-c6rf-g9f7	Cross site scripting in the system log It is possible to inject code into the `tl_log` table that will be executed in the browser when the system log is called in the back end.	4.11.5 Affected by 0 other vulnerabilities.
VCID-mt93-hcnp-13ah Aliases: CVE-2023-29200 GHSA-fp7q-xhhw-6rj3	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Contao is an open source content management system. Prior to versions 4.9.40, 4.13.21, and 5.1.4, logged in users can list arbitrary system files in the file manager by manipulating the Ajax request. However, it is not possible to read the contents of these files. Users should update to Contao 4.9.40, 4.13.21 or 5.1.4 to receive a patch. There are no known workarounds.	4.13.21 Affected by 0 other vulnerabilities. 5.1.4 Affected by 0 other vulnerabilities.
VCID-nepv-9985-37g4 Aliases: CVE-2023-36806 GHSA-4gpr-p634-922x	Cross site scripting via input unit widget Authenticated users can inject malicious code in widgets with units, which is then executed both in the element preview (back end) and on the website (front end).	4.13.28 Affected by 0 other vulnerabilities. 5.1.10 Affected by 0 other vulnerabilities.
VCID-rj3d-jeyz-vye5 Aliases: CVE-2021-37627 GHSA-hq5m-mqmx-fw6m	Improper Privilege Management Contao is an open source CMS that allows creation of websites and scalable web applications.All users are advised to update to Contao As a workaround users may disable the form generator or disable the login for untrusted back end users.	4.11.7 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.11.8 Affected by 0 other vulnerabilities.
VCID-t2u3-tgg3-cbb9 Aliases: CVE-2021-37626 GHSA-r6mv-ppjc-4hgr	Code Injection Contao is an open source CMS that allows you to create websites and scalable web applications.Update to Contao to resolve. If you cannot update then disable the login for untrusted back end users.	4.11.7 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.11.8 Affected by 0 other vulnerabilities.
VCID-u6sk-25yd-e7b2 Aliases: CVE-2020-25768 GHSA-f7wm-x4gw-6m23	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.	4.10.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-82d1-8yn8-sydv
Aliases:
CVE-2021-35955
GHSA-hr3h-x6gq-rqcp

Cross site scripting via HTML attributes in the back end It is possible for untrusted users to inject malicious code into HTML attributes in the back end, which will be executed both in the element preview (back end) and on the website (front end). Installations are only affected if there are untrusted back end users who have the rights to modify HTML fields (e.g. TinyMCE).

4.11.7
Affected by 2 other vulnerabilities.

VCID-azpb-eq6c-e7bw
Aliases:
CVE-2021-35210
GHSA-h58v-c6rf-g9f7

Cross site scripting in the system log It is possible to inject code into the `tl_log` table that will be executed in the browser when the system log is called in the back end.

4.11.5
Affected by 0 other vulnerabilities.

VCID-mt93-hcnp-13ah
Aliases:
CVE-2023-29200
GHSA-fp7q-xhhw-6rj3

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Contao is an open source content management system. Prior to versions 4.9.40, 4.13.21, and 5.1.4, logged in users can list arbitrary system files in the file manager by manipulating the Ajax request. However, it is not possible to read the contents of these files. Users should update to Contao 4.9.40, 4.13.21 or 5.1.4 to receive a patch. There are no known workarounds.

4.13.21
Affected by 0 other vulnerabilities.

5.1.4
Affected by 0 other vulnerabilities.

VCID-nepv-9985-37g4
Aliases:
CVE-2023-36806
GHSA-4gpr-p634-922x

Cross site scripting via input unit widget Authenticated users can inject malicious code in widgets with units, which is then executed both in the element preview (back end) and on the website (front end).

4.13.28
Affected by 0 other vulnerabilities.

5.1.10
Affected by 0 other vulnerabilities.

VCID-rj3d-jeyz-vye5
Aliases:
CVE-2021-37627
GHSA-hq5m-mqmx-fw6m

Improper Privilege Management Contao is an open source CMS that allows creation of websites and scalable web applications.All users are advised to update to Contao As a workaround users may disable the form generator or disable the login for untrusted back end users.

4.11.7
Affected by 2 other vulnerabilities.

4.11.8
Affected by 0 other vulnerabilities.

VCID-t2u3-tgg3-cbb9
Aliases:
CVE-2021-37626
GHSA-r6mv-ppjc-4hgr

Code Injection Contao is an open source CMS that allows you to create websites and scalable web applications.Update to Contao to resolve. If you cannot update then disable the login for untrusted back end users.

4.11.7
Affected by 2 other vulnerabilities.

4.11.8
Affected by 0 other vulnerabilities.

VCID-u6sk-25yd-e7b2
Aliases:
CVE-2020-25768
GHSA-f7wm-x4gw-6m23

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.

4.10.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T16:20:31.975470+00:00	GitLab Importer	Affected by	VCID-u6sk-25yd-e7b2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2020-25768.yml	38.6.0
2026-06-02T04:45:26.911948+00:00	GitLab Importer	Affected by	VCID-nepv-9985-37g4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2023-36806.yml	38.6.0
2026-06-02T04:44:39.616055+00:00	GitLab Importer	Affected by	VCID-mt93-hcnp-13ah	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2023-29200.yml	38.6.0
2026-06-02T04:39:45.863706+00:00	GitLab Importer	Affected by	VCID-82d1-8yn8-sydv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2021-35955.yml	38.6.0
2026-06-02T04:39:36.516466+00:00	GitLab Importer	Affected by	VCID-t2u3-tgg3-cbb9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2021-37626.yml	38.6.0
2026-06-02T04:39:36.368306+00:00	GitLab Importer	Affected by	VCID-rj3d-jeyz-vye5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2021-37627.yml	38.6.0
2026-06-02T04:39:26.882920+00:00	GitLab Importer	Affected by	VCID-azpb-eq6c-e7bw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2021-35210.yml	38.6.0