Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.
CVSS Score
5.3
EPSS Score
0.003
Published
2020-10-07
Contao 4.0 through 4.8.5 allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server.
CVSS Score
8.8
EPSS Score
0.005
Published
2019-12-17
Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them.
CVSS Score
5.3
EPSS Score
0.001
Published
2019-12-17
Contao 4.x allows SQL Injection. Fixed in Contao 4.4.39 and Contao 4.7.5.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-07-09
Page 2