Vulnerabilities for Contao (...) - CXSECURITY.COM

Vulnerabilities for 'Contao'

2022-05-06

CVE-2022-24899

CWE-79

Contao is a powerful open source CMS that allows you to create professional websites and scalable web applications. In versions of Contao prior to 4.13.3 it is possible to inject code into the canonical tag. As a workaround users may disable canonical tags in the root page settings.

2022-05-05

CVE-2022-1588

CWE-79

Cross-site Scripting (XSS) in GitHub repository contao/contao prior to 4.13.3. Attacker can execute Malicious JS in Application :)

2021-08-12

CVE-2021-35955

CWE-79

Contao >=4.0.0 allows backend XSS via HTML attributes to an HTML field. Fixed in 4.4.56, 4.9.18, 4.11.7.

2021-06-23

CVE-2021-35210

CWE-79

Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called in the back end.

2020-10-07

CVE-2020-25768

CWE-20

Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.

2020-03-16

CVE-2018-10125

CWE-79

Contao before 4.5.7 has XSS in the system log.

2020-01-29

CVE-2012-4383

CWE-89

contao prior to 2.11.4 has a sql injection vulnerability

2019-12-17

CVE-2019-19745

CWE-434

Contao 4.0 through 4.8.5 allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server.

CVE-2019-19714

CWE-116

Contao 4.8.4 and 4.8.5 has Improper Encoding or Escaping of Output. It is possible to inject insert tags into the login module which will be replaced when the page is rendered.

CVE-2019-19712

CWE-276

Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them.

Copyright 2024, cxsecurity.com