contao/core-bundle Security Advisories for 4.2.1 (17)
-
[MEDIUM] Contao affected by directory traversal in the file selector widget
PKSA-gkh9-zxxg-dpvd CVE-2024-45604 GHSA-4p75-5p53-65m9
Affected version: <4.13.49
Reported by:
GitHub -
[HIGH] Contao affected by remote command execution through file upload
PKSA-5k7g-byhd-8xrm CVE-2024-45398 GHSA-vm6r-j788-hjh5
Affected version: >=5.4.0,<5.4.3|>=5.0.0,<5.3.15|>=4.0.0,<4.13.49
Reported by:
GitHub -
[LOW] Contao: Unencoded insert tags in the frontend
PKSA-rk65-kfm6-21d9 CVE-2024-28191 GHSA-747v-52c4-8vj8
Affected version: >=5.0.0-RC1,<5.3.4|>=4.0.0,<4.13.40
Reported by:
GitHub -
[MEDIUM] Contao: Cross site scripting in the file manager
PKSA-bxmw-zt4x-f182 CVE-2024-28190 GHSA-v24p-7p4j-qvvf
Affected version: >=5.0.0-RC1,<5.3.4|>=4.0.0,<4.13.40
Reported by:
GitHub -
[MEDIUM] Contao: Remember-me tokens will not be cleared after a password change
PKSA-7hz7-f163-3mdr CVE-2024-30262 GHSA-r4r6-j2j3-7pp5
Affected version: <4.13.40
Reported by:
GitHub -
[MEDIUM] Cross site scripting via input unit widget
PKSA-kc45-s13v-qqqk CVE-2023-36806 GHSA-4gpr-p634-922x
Affected version: >=5.0.0,<5.1.10|>=4.10.0,<4.13.28|>=4.0.0,<4.9.42
Reported by:
GitHub -
[MEDIUM] Cross site scripting via HTML attributes in the back end
PKSA-s6nh-jp39-2w3w CVE-2021-35955 GHSA-hr3h-x6gq-rqcp
Affected version: >=4.0.0,<4.4.56|>=4.5.0,<4.6.0|>=4.6.0,<4.7.0|>=4.7.0,<4.8.0|>=4.8.0,<4.9.0|>=4.9.0,<4.9.18|>=4.10.0,<4.11.0|>=4.11.0,<4.11.7
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[HIGH] Privilege escalation with the form generator
PKSA-6972-2czp-n9y4 CVE-2021-37627 GHSA-hq5m-mqmx-fw6m
Affected version: >=4.0.0,<4.4.56|>=4.5.0,<4.6.0|>=4.6.0,<4.7.0|>=4.7.0,<4.8.0|>=4.8.0,<4.9.0|>=4.9.0,<4.9.18|>=4.10.0,<4.11.0|>=4.11.0,<4.11.7
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[MEDIUM] PHP file inclusion via insert tags
PKSA-dqg4-bv6y-y9k1 CVE-2021-37626 GHSA-r6mv-ppjc-4hgr
Affected version: >=4.0.0,<4.4.56|>=4.5.0,<4.6.0|>=4.6.0,<4.7.0|>=4.7.0,<4.8.0|>=4.8.0,<4.9.0|>=4.9.0,<4.9.18|>=4.10.0,<4.11.0|>=4.11.0,<4.11.7
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[MEDIUM] Insert tag injection in front end forms
PKSA-bn7k-dnct-c6sd CVE-2020-25768 GHSA-f7wm-x4gw-6m23
Affected version: >=4.0.0,<4.4.52|>=4.5.0,<4.6.0|>=4.6.0,<4.7.0|>=4.7.0,<4.8.0|>=4.8.0,<4.9.0|>=4.9.0,<4.9.6|>=4.10.0,<4.10.1
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[HIGH] Unrestricted file uploads
PKSA-n9hp-vpy3-25rz CVE-2019-19745 GHSA-wjx8-cgrm-hh8p
Affected version: >=4.0.0,<4.4.46|>=4.5.0,<4.6.0|>=4.6.0,<4.7.0|>=4.7.0,<4.8.0|>=4.8.0,<4.8.6
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[MEDIUM] Information disclosure in the back end
PKSA-kmq8-295w-n5p1 CVE-2019-19712 GHSA-4mvc-qc5w-v5qr
Affected version: >=4.0.0,<4.4.46|>=4.5.0,<4.6.0|>=4.6.0,<4.7.0|>=4.7.0,<4.8.0|>=4.8.0,<4.8.6
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[CRITICAL] SQL injection vulnerabililty in the file manager search filter
PKSA-6dhc-y3rp-wnjp CVE-2019-11512 GHSA-vq59-x6mq-4wgw
Affected version: >=4.1.0,<4.4.39|>=4.5.0,<4.6.0|>=4.6.0,<4.7.0|>=4.7.0,<4.7.5
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[CRITICAL] Existing sessions are not correctly invalidated when a user changes their password
PKSA-62kn-sxm4-zf9x CVE-2019-10641 GHSA-vcgg-hp4r-87gx
Affected version: >=4.0.0,<4.4.37|>=4.5.0,<4.6.0|>=4.6.0,<4.7.0|>=4.7.0,<4.7.3
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[MEDIUM] Cross-site scripting (XSS) vulnerability in the system log of the back end
PKSA-7xh8-fvvz-jkj9 CVE-2018-10125 GHSA-pj4j-287j-f742
Affected version: >=4.0.0,<4.4.18|>=4.5.0,<4.5.8
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[CRITICAL] SQL injection vulnerabililty in the back end search filter
PKSA-hhsz-rqf9-rpm4 CVE-2017-16558 GHSA-w38g-hj45-mjjp
Affected version: >=4.0.0,<4.4.8
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[HIGH] A logged in back end user can include arbitrary existing PHP files by manipulating an URL parameter
PKSA-bm99-nmx5-wsq1 CVE-2017-10993 GHSA-x5g4-crxq-qxjx
Affected version: >=4.0.0,<4.4.1
Reported by:
FriendsOfPHP/security-advisories, GitHub