Contao: Security Vulnerabilities
Contao 4.0 through 4.8.5 allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server.
CVSS Score
8.8
EPSS Score
0.005
Published
2019-12-17
Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them.
CVSS Score
5.3
EPSS Score
0.001
Published
2019-12-17
Contao 4.x allows SQL Injection. Fixed in Contao 4.4.39 and Contao 4.7.5.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-07-09
Contao 3.0.0 to 3.5.30 and 4.0.0 to 4.4.7 contains an SQL injection vulnerability in the back end as well as in the listing module.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-04-25
Contao 3.x before 3.5.37, 4.4.x before 4.4.31 and 4.6.x before 4.6.11 has Incorrect Access Control.
CVSS Score
6.5
EPSS Score
0.003
Published
2019-04-17
Contao before 3.5.39 and 4.x before 4.7.3 has a Weak Password Recovery Mechanism for a Forgotten Password.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-04-17
Contao 4.7 allows CSRF.
CVSS Score
8.8
EPSS Score
0.001
Published
2019-04-17
Contao 4.7 allows Use of a Key Past its Expiration Date.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-04-17
Contao before 3.5.28 and 4.x before 4.4.1 allows remote attackers to include and execute arbitrary local PHP files via a crafted parameter in a URL, aka Directory Traversal.
CVSS Score
8.8
EPSS Score
0.008
Published
2017-07-21
Directory traversal vulnerability in Contao before 3.2.19, and 3.4.x before 3.4.4 allows remote authenticated "back end" users to view files outside their file mounts or the document root via unspecified vectors.
CVSS Score
4.3
EPSS Score
0.005
Published
2017-05-26