Vulnerabilities > Contao > Contao CMS

DATE CVE VULNERABILITY TITLE RISK
2020-01-08 CVE-2014-1860 Deserialization of Untrusted Data vulnerability in Contao CMS
Contao CMS through 3.2.4 has PHP Object Injection Vulnerabilities
network
low complexity
contao CWE-502
7.5
2019-04-25 CVE-2017-16558 SQL Injection vulnerability in Contao CMS
Contao 3.0.0 to 3.5.30 and 4.0.0 to 4.4.7 contains an SQL injection vulnerability in the back end as well as in the listing module.
network
low complexity
contao CWE-89
7.5
2019-04-17 CVE-2019-10643 Key Management Errors vulnerability in Contao CMS 4.7.0
Contao 4.7 allows Use of a Key Past its Expiration Date.
network
low complexity
contao CWE-320
7.5
2019-04-17 CVE-2019-10642 Cross-Site Request Forgery (CSRF) vulnerability in Contao CMS 4.7.0
Contao 4.7 allows CSRF.
network
contao CWE-352
6.8
2019-04-17 CVE-2019-10641 Weak Password Recovery Mechanism for Forgotten Password vulnerability in Contao CMS
Contao before 3.5.39 and 4.x before 4.7.3 has a Weak Password Recovery Mechanism for a Forgotten Password.
network
low complexity
contao CWE-640
5.0
2019-04-17 CVE-2018-20028 Unspecified vulnerability in Contao CMS
Contao 3.x before 3.5.37, 4.4.x before 4.4.31 and 4.6.x before 4.6.11 has Incorrect Access Control.
network
low complexity
contao
4.0
2017-07-21 CVE-2017-10993 Path Traversal vulnerability in Contao CMS
Contao before 3.5.28 and 4.x before 4.4.1 allows remote attackers to include and execute arbitrary local PHP files via a crafted parameter in a URL, aka Directory Traversal.
network
low complexity
contao CWE-22
6.5
2017-05-26 CVE-2015-0269 Path Traversal vulnerability in Contao CMS
Directory traversal vulnerability in Contao before 3.2.19, and 3.4.x before 3.4.4 allows remote authenticated "back end" users to view files outside their file mounts or the document root via unspecified vectors.
network
low complexity
contao CWE-22
4.0
2012-03-19 CVE-2012-1297 Cross-Site Request Forgery (CSRF) vulnerability in Contao CMS
Multiple cross-site request forgery (CSRF) vulnerabilities in main.php in Contao (formerly TYPOlight) 2.11.0 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) delete users via a delete action in the user module, (2) delete news via a delete action in the news module, or (3) delete newsletters via a delete action in the newsletters module.
network
contao CWE-352
6.8
2011-11-28 CVE-2011-4335 Cross-Site Scripting vulnerability in Contao CMS
Multiple cross-site scripting (XSS) vulnerabilities in Contao before 2.10.2 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php in a (1) teachers.html or (2) teachers/ action.
network
contao CWE-79
4.3