VulnerableCode Package Details - pkg:composer/contao/core-bundle@4.4.17

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:composer/contao/core-bundle@4.4.17

Essentials
History (7)

purl	pkg:composer/contao/core-bundle@4.4.17

Next non-vulnerable version	4.4.52
Latest non-vulnerable version	5.6.5
Risk

Vulnerabilities affecting this package (6)

Vulnerability	Summary	Fixed by
VCID-3fux-z15d-13g1 Aliases: CVE-2019-11512 GHSA-vq59-x6mq-4wgw	Contao allows SQL Injection.	4.4.39 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.7.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-4rrm-u81m-7kdt Aliases: CVE-2018-20028 GHSA-q99w-j4mj-7hj8	Direct Request (Forced Browsing) Contao has Incorrect Access Control.	4.4.31 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.6.11 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-5kwa-7kx3-kfga Aliases: CVE-2019-10641 GHSA-vcgg-hp4r-87gx	Weak Password Recovery Mechanism for Forgotten Password Contao has a Weak Password Recovery Mechanism for a Forgotten Password.	4.4.37 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.7.3 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-98fv-kpqs-mybc Aliases: CVE-2019-19745 GHSA-wjx8-cgrm-hh8p	Unrestricted Upload of File with Dangerous Type Contao allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server.	4.4.46 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 4.5.0-RC1 Affected by 0 other vulnerabilities. 4.8.6 Affected by 0 other vulnerabilities. 5.5.4 Affected by 0 other vulnerabilities.
VCID-ah8s-8q49-8qbw Aliases: CVE-2019-19712 GHSA-4mvc-qc5w-v5qr	Incorrect Default Permissions Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them.	4.4.46 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 4.5.0-RC1 Affected by 0 other vulnerabilities. 4.8.6 Affected by 0 other vulnerabilities. 5.5.4 Affected by 0 other vulnerabilities.
VCID-u6sk-25yd-e7b2 Aliases: CVE-2020-25768 GHSA-f7wm-x4gw-6m23	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.	4.4.52 Affected by 0 other vulnerabilities. 4.9.6 Affected by 0 other vulnerabilities. 4.10.1 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-epmj-qf23-xffd	XSS in system log of back end There's a Cross-Site Scripting (XSS) vulnerability in system log of back end. With a manipulated request, an attacker can implant a script which is executed when a logged in back end user opens the system log. The attacker themselves does not have to be logged in.	CVE-2018-10125 GHSA-pj4j-287j-f742

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T20:39:49.715140+00:00	GitLab Importer	Affected by	VCID-u6sk-25yd-e7b2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2020-25768.yml	38.6.0
2026-06-04T20:26:06.859451+00:00	GitLab Importer	Affected by	VCID-ah8s-8q49-8qbw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2019-19712.yml	38.6.0
2026-06-04T20:26:04.028520+00:00	GitLab Importer	Affected by	VCID-98fv-kpqs-mybc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2019-19745.yml	38.6.0
2026-06-04T20:23:20.039888+00:00	GitLab Importer	Affected by	VCID-3fux-z15d-13g1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2019-11512.yml	38.6.0
2026-06-04T20:20:55.722189+00:00	GitLab Importer	Affected by	VCID-4rrm-u81m-7kdt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2018-20028.yml	38.6.0
2026-06-04T20:20:54.217642+00:00	GitLab Importer	Affected by	VCID-5kwa-7kx3-kfga	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2019-10641.yml	38.6.0
2026-06-04T16:19:52.544824+00:00	GitLab Importer	Fixing	VCID-epmj-qf23-xffd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2018-10125.yml	38.6.0