contao/core

Packagist7 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting contao/corepage 1 of 1

CVE-2012-4383HIGHCVSS 8.8EG 8.8✓ Fixed in 2.11.4
2020-01-29
vulnerable: 2.10.0 ... 2.9.RC1 (44 versions)
contao prior to 2.11.4 has a sql injection vulnerability
CVE-2015-0269MEDIUMCVSS 4.3EG 4.3✓ Fixed in 3.2.19
2017-05-26
vulnerable: 2.10.0 ... 3.2.beta2 (98 versions)
Directory traversal vulnerability in Contao before 3.2.19, and 3.4.x before 3.4.4 allows remote authenticated "back end" users to view files outside their file mounts or the document root via unspecified vectors.
CVE-2016-4567MEDIUMCVSS 6.1EG 6.1✓ Fixed in 3.5.15
2016-05-22
vulnerable: 3.0.0 ... 3.5.9 (76 versions)
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinit…
CVE-2017-10993HIGHCVSS 8.8EG 8.8✓ Fixed in 3.5.28
2017-07-21
vulnerable: 3.0.0 ... 3.5.9 (89 versions)
Contao before 3.5.28 and 4.x before 4.4.1 allows remote attackers to include and execute arbitrary local PHP files via a crafted parameter in a URL, aka Directory Traversal.
CVE-2018-10125MEDIUMCVSS 6.1EG 6.1✓ Fixed in 3.5.35
2020-03-16
vulnerable: 3.0.0 ... 3.5.9 (96 versions)
Contao before 4.5.7 has XSS in the system log.
CVE-2018-5478MEDIUMCVSS 6.1EG 6.1✓ Fixed in 3.5.32
2023-09-21
vulnerable: 3.0.0 ... 3.5.9 (93 versions)
Contao 3.x before 3.5.32 allows XSS via the unsubscribe module in the frontend newsletter extension.
CVE-2019-10641CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.5.39
2019-04-17
vulnerable: 3.0.0 ... 3.5.9 (100 versions)
Contao before 3.5.39 and 4.x before 4.7.3 has a Weak Password Recovery Mechanism for a Forgotten Password.

Check whether contao/core is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for contao/core CVEs against the assets you own.

Start Free Scan →