CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45604 – Directory traversal in the file selector widget in contao/core-bundle
https://notcve.org/view.php?id=CVE-2024-45604
17 Sep 2024 — Contao is an Open Source CMS. In affected versions authenticated users in the back end can list files outside the document root in the file selector widget. Users are advised to update to Contao 4.13.49. There are no known workarounds for this vulnerability. • https://contao.org/en/security-advisories/directory-traversal-in-the-fileselector-widget • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30262 – Contao's remember-me tokens will not be cleared after a password change
https://notcve.org/view.php?id=CVE-2024-30262
09 Apr 2024 — Contao is an open source content management system. Prior to version 4.13.40, when a frontend member changes their password in the personal data or the password lost module, the corresponding remember-me tokens are not removed. If someone compromises an account and is able to get a remember-me token, changing the password would not be enough to reclaim control over the account. Version 4.13.40 contains a fix for the issue. As a workaround, disable "Allow auto login" in the login module. • https://github.com/contao/contao/commit/3032baa456f607169ffae82a8920354adb338fe9 • CWE-384: Session Fixation CWE-613: Insufficient Session Expiration •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 3CVE-2022-26265
https://notcve.org/view.php?id=CVE-2022-26265
18 Mar 2022 — Contao Managed Edition v1.5.0 was discovered to contain a remote command execution (RCE) vulnerability via the component php_cli parameter. Se ha detectado que Contao Managed Edition versión v1.5.0, contiene una vulnerabilidad de ejecución de comandos remota (RCE) por medio del parámetro php_cli del componente • https://github.com/Inplex-sys/CVE-2022-26265 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2012-4383
https://notcve.org/view.php?id=CVE-2012-4383
29 Jan 2020 — contao prior to 2.11.4 has a sql injection vulnerability contao versiones anteriores a 2.11.4, presenta una vulnerabilidad de inyección sql. • http://www.openwall.com/lists/oss-security/2012/08/31/14 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •