Search for packages
| purl | pkg:composer/contao/core@2.10.2 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-5639-8xt3-8ugc
Aliases: GMS-2014-36 |
Improper Input Validation Insufficient input validation allows for code injection and remote execution. |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-6bch-mqbz-bqfs
Aliases: CVE-2018-5478 GHSA-mpg7-2rx9-h5qp |
XSS vulnerability in the newsletter extension The vulnerability is in the "unsubscribe" module of the newsletter extension and can easily be exploited by anyone in the front end. If you are not using the newsletter extension or the "unsubscribe" module, your installation is not affected by the vulnerability. |
Affected by 3 other vulnerabilities. |
|
VCID-6um8-6hqz-uybm
Aliases: CVE-2017-16558 GHSA-w38g-hj45-mjjp |
SQL injection vulnerability Both the search filter in the back end and the "listing" module in the front end are vulnerable to SQL injection. To exploit the vulnerability in the back end, a back end user has to be logged in, whereas the front end vulnerability can be exploited by anyone. | There are no reported fixed by versions. |
|
VCID-7nh2-bb7m-3udz
Aliases: GHSA-wq43-8r5p-w3mc |
contao/core PHP object injection vulnerability allows for arbitrary code execution PHP object injection vulnerability was identified in contao/core due to untrusted data being passed to `deserialize()` function. |
Affected by 8 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-crsc-bhc9-y3f9
Aliases: CVE-2017-10993 GHSA-x5g4-crxq-qxjx |
PHP file inclusion vulnerability in the back end A logged in back end user can include arbitrary PHP files by manipulating an URL parameter. Since Contao does not allow to upload PHP files in the file manager, the attack is limited to the existing PHP files on the server. |
Affected by 4 other vulnerabilities. |
|
VCID-epmj-qf23-xffd
Aliases: CVE-2018-10125 GHSA-pj4j-287j-f742 |
XSS in system log of back end There's a Cross-Site Scripting (XSS) vulnerability in system log of back end. With a manipulated request, an attacker can implant a script which is executed when a logged in back end user opens the system log. The attacker themselves does not have to be logged in. |
Affected by 2 other vulnerabilities. |
|
VCID-m28p-n6vz-zuhw
Aliases: GHSA-wxxw-5gq6-j2g5 |
contao/core Insufficient input validation allows for code injection and remote execution contao/core versions 2.x prior to 2.11.17 and 3.x prior to 3.2.9 are vulnerable to arbitrary code execution on the server due to insufficient input validation. In fact, attackers can remove or change pathconfig.php by entering a URL, meaning that the entire Contao installation will no longer be accessible or malicious code can be executed. |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-stup-et3v-5kgp
Aliases: CVE-2015-0269 GHSA-4r6g-xhx7-fm36 |
Path Traversal Directory traversal vulnerability in Contao allows remote authenticated `back end` users to view files outside their file mounts or the document root via unspecified vectors. |
Affected by 10 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-u721-yafq-bkc7
Aliases: GMS-2014-35 |
Code Injection PHP object injection vulnerability allows for arbitrary code execution. |
Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-zexf-zd22-nkfp
Aliases: CVE-2012-4383 GHSA-9jq2-jvwc-p52f |
Contao core SQL Injection Vulnerability Contao core prior to 2.11.4 has a SQL injection vulnerability in `contao-2.11.3\system\modules\backend\Ajax.php` |
Affected by 9 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||