Search for packages
| purl | pkg:composer/contao/core-bundle@4.5.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3fux-z15d-13g1
Aliases: CVE-2019-11512 GHSA-vq59-x6mq-4wgw |
Contao allows SQL Injection. |
Affected by 2 other vulnerabilities. |
|
VCID-5kwa-7kx3-kfga
Aliases: CVE-2019-10641 GHSA-vcgg-hp4r-87gx |
Weak Password Recovery Mechanism for Forgotten Password Contao has a Weak Password Recovery Mechanism for a Forgotten Password. |
Affected by 3 other vulnerabilities. |
|
VCID-82d1-8yn8-sydv
Aliases: CVE-2021-35955 GHSA-hr3h-x6gq-rqcp |
Cross site scripting via HTML attributes in the back end It is possible for untrusted users to inject malicious code into HTML attributes in the back end, which will be executed both in the element preview (back end) and on the website (front end). Installations are only affected if there are untrusted back end users who have the rights to modify HTML fields (e.g. TinyMCE). |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-98fv-kpqs-mybc
Aliases: CVE-2019-19745 GHSA-wjx8-cgrm-hh8p |
Unrestricted Upload of File with Dangerous Type Contao allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ah8s-8q49-8qbw
Aliases: CVE-2019-19712 GHSA-4mvc-qc5w-v5qr |
Incorrect Default Permissions Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-azpb-eq6c-e7bw
Aliases: CVE-2021-35210 GHSA-h58v-c6rf-g9f7 |
Cross site scripting in the system log It is possible to inject code into the `tl_log` table that will be executed in the browser when the system log is called in the back end. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-epmj-qf23-xffd
Aliases: CVE-2018-10125 GHSA-pj4j-287j-f742 |
XSS in system log of back end There's a Cross-Site Scripting (XSS) vulnerability in system log of back end. With a manipulated request, an attacker can implant a script which is executed when a logged in back end user opens the system log. The attacker themselves does not have to be logged in. |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-rj3d-jeyz-vye5
Aliases: CVE-2021-37627 GHSA-hq5m-mqmx-fw6m |
Improper Privilege Management Contao is an open source CMS that allows creation of websites and scalable web applications.All users are advised to update to Contao As a workaround users may disable the form generator or disable the login for untrusted back end users. |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-t2u3-tgg3-cbb9
Aliases: CVE-2021-37626 GHSA-r6mv-ppjc-4hgr |
Code Injection Contao is an open source CMS that allows you to create websites and scalable web applications.Update to Contao to resolve. If you cannot update then disable the login for untrusted back end users. |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||