Search for packages
| purl | pkg:composer/contao/core-bundle@4.13.21 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3ezy-wm8p-fudx
Aliases: CVE-2024-30262 GHSA-r4r6-j2j3-7pp5 |
Contao: Remember-me tokens will not be cleared after a password change When a front end member changes their password, the corresponding remember-me tokens are not removed. |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-44rf-v5ep-fbd9
Aliases: CVE-2024-45398 GHSA-vm6r-j788-hjh5 |
Affected by 4 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
|
VCID-5188-r5n1-tycn
Aliases: CVE-2025-65961 GHSA-68q5-78xp-cwwc |
Contao is vulnerable to cross-site scripting in templates It is possible to inject code into the template output that will be executed in the browser in the front end and back end. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-53kv-tku1-x3fk
Aliases: CVE-2024-28235 GHSA-9jh5-qf84-x6pr |
Contao: Possible cookie sharing with external domains while checking protected pages for broken links If the crawler is set to crawl protected pages, it sends the cookie header to externals URLs. |
Affected by 7 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-bmmc-gmwu-a7dx
Aliases: CVE-2023-36806 GHSA-4gpr-p634-922x |
Cross site scripting via input unit widget Authenticated users can inject malicious code in widgets with units, which is then executed both in the element preview (back end) and on the website (front end). |
Affected by 11 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-crxv-8yda-d3ex
Aliases: CVE-2025-29790 GHSA-vqqr-fgmh-f626 |
Affected by 3 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
|
VCID-kgp5-x27x-vyh6
Aliases: CVE-2024-28191 GHSA-747v-52c4-8vj8 |
Contao: Unencoded insert tags in the frontend It is possible to inject insert tags via the form generator if the submitted form data is output on the page in a specific way. |
Affected by 7 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-n1pv-237p-e3ay
Aliases: CVE-2025-57756 GHSA-2xmj-8wmq-7475 |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
|
VCID-r8z4-2ayx-1bg4
Aliases: CVE-2024-28190 GHSA-v24p-7p4j-qvvf |
Contao: Cross site scripting in the file manager Users can insert malicious code into file names when uploading files, which is then executed in tooltips and popups in the backend. |
Affected by 7 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-ttwq-29ke-s7ez
Aliases: CVE-2024-45604 GHSA-4p75-5p53-65m9 |
Affected by 4 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
|
VCID-uwqd-um3d-97bk
Aliases: CVE-2025-65960 GHSA-98vj-mm79-v77r |
Contao is vulnerable to remote code execution in template closures Backend users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-y73g-hkmg-c7dp
Aliases: CVE-2024-45612 GHSA-2xpq-xp6c-5mgj |
Affected by 4 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-pawf-h8n3-83hh | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Contao is an open source content management system. Prior to versions 4.9.40, 4.13.21, and 5.1.4, logged in users can list arbitrary system files in the file manager by manipulating the Ajax request. However, it is not possible to read the contents of these files. Users should update to Contao 4.9.40, 4.13.21 or 5.1.4 to receive a patch. There are no known workarounds. |
CVE-2023-29200
GHSA-fp7q-xhhw-6rj3 |