Search for packages
| purl | pkg:composer/contao/core-bundle@4.3.7 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3fux-z15d-13g1
Aliases: CVE-2019-11512 GHSA-vq59-x6mq-4wgw |
Contao allows SQL Injection. |
Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-5kwa-7kx3-kfga
Aliases: CVE-2019-10641 GHSA-vcgg-hp4r-87gx |
Weak Password Recovery Mechanism for Forgotten Password Contao has a Weak Password Recovery Mechanism for a Forgotten Password. |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-6um8-6hqz-uybm
Aliases: CVE-2017-16558 GHSA-w38g-hj45-mjjp |
SQL injection vulnerability Both the search filter in the back end and the "listing" module in the front end are vulnerable to SQL injection. To exploit the vulnerability in the back end, a back end user has to be logged in, whereas the front end vulnerability can be exploited by anyone. |
Affected by 7 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-98fv-kpqs-mybc
Aliases: CVE-2019-19745 GHSA-wjx8-cgrm-hh8p |
Unrestricted Upload of File with Dangerous Type Contao allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ah8s-8q49-8qbw
Aliases: CVE-2019-19712 GHSA-4mvc-qc5w-v5qr |
Incorrect Default Permissions Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-crsc-bhc9-y3f9
Aliases: CVE-2017-10993 GHSA-x5g4-crxq-qxjx |
PHP file inclusion vulnerability in the back end A logged in back end user can include arbitrary PHP files by manipulating an URL parameter. Since Contao does not allow to upload PHP files in the file manager, the attack is limited to the existing PHP files on the server. |
Affected by 8 other vulnerabilities. |
|
VCID-epmj-qf23-xffd
Aliases: CVE-2018-10125 GHSA-pj4j-287j-f742 |
XSS in system log of back end There's a Cross-Site Scripting (XSS) vulnerability in system log of back end. With a manipulated request, an attacker can implant a script which is executed when a logged in back end user opens the system log. The attacker themselves does not have to be logged in. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-u6sk-25yd-e7b2
Aliases: CVE-2020-25768 GHSA-f7wm-x4gw-6m23 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert tags in front end forms which will be replaced when the page is rendered. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||