contao/core Security Advisories for 3.5.19 (5)
-
[CRITICAL] Existing sessions are not correctly invalidated when a user changes their password
PKSA-fcyb-3n6p-v7sp CVE-2019-10641 GHSA-vcgg-hp4r-87gx
Affected version: >=3.0.0,<3.5.39
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[MEDIUM] Cross-site scripting (XSS) vulnerability in the system log of the back end
PKSA-ftwh-331g-zg9s CVE-2018-10125 GHSA-pj4j-287j-f742
Affected version: >=3.0.0,<3.5.35
Reported by:
FriendsOfPHP/security-advisories, GitHub -
XSS vulnerabililty in the front end "unsubscribe" module of the newsletter extension
PKSA-ypy6-knh4-dm44 CVE-2018-5478
Affected version: >=3.0.0,<3.5.32
Reported by:
FriendsOfPHP/security-advisories -
SQL injection vulnerabililty in the back end search filter and the front end listing module
PKSA-pg9r-grpr-kp14 CVE-2017-16558
Affected version: >=3.0.0,<3.5.31
Reported by:
FriendsOfPHP/security-advisories -
[HIGH] A logged in back end user can include arbitrary existing PHP files by manipulating an URL parameter
PKSA-rsrx-gn7x-r7yr CVE-2017-10993 GHSA-x5g4-crxq-qxjx
Affected version: >=3.0.0,<3.5.28
Reported by:
FriendsOfPHP/security-advisories, GitHub