CVSS: 8.8EPSS: 0%CPEs: 38EXPL: 0CVE-2017-10993
https://notcve.org/view.php?id=CVE-2017-10993
21 Jul 2017 — Contao before 3.5.28 and 4.x before 4.4.1 allows remote attackers to include and execute arbitrary local PHP files via a crafted parameter in a URL, aka Directory Traversal. Contao anterior a versión 3.5.28 y versión 4.x anterior a 4.4.1, permite que los atacantes remotos incluyan y ejecuten archivos PHP locales arbitrarios por medio de un parámetro creado en una URL, también se conoce como Salto de Directorio. • https://contao.org/en/news/contao-3_5_28.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2015-0269
https://notcve.org/view.php?id=CVE-2015-0269
26 May 2017 — Directory traversal vulnerability in Contao before 3.2.19, and 3.4.x before 3.4.4 allows remote authenticated "back end" users to view files outside their file mounts or the document root via unspecified vectors. La vulnerabilidad de desplazamiento de directorios en Contao en versiones anteriores a la 3.2.19, versión 3.4.x y anteriores a la 3.4.4, permite a usuarios remotos autenticados "back-end" ver archivos fuera de su sistema de archivos o la raíz de directorios a través de vectores no especificados. • https://contao.org/en/news/contao-3_2_19.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2014-1860 – Contao CMS 3.2.4 Code Execution
https://notcve.org/view.php?id=CVE-2014-1860
04 Feb 2014 — Contao CMS through 3.2.4 has PHP Object Injection Vulnerabilities Contao CMS versiones hasta la versión 3.2.4, tiene vulnerabilidades de inyección de objetos PHP. Contao CMS versions 3.2.4 and below suffer from a code execution vulnerability. • http://www.openwall.com/lists/oss-security/2014/02/03/14 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.8EPSS: 0%CPEs: 108EXPL: 3CVE-2012-1297 – ContaoCMS (aka TYPOlight) 2.11 - Cross-Site Request Forgery (Delete Admin / Delete Article)
https://notcve.org/view.php?id=CVE-2012-1297
19 Mar 2012 — Multiple cross-site request forgery (CSRF) vulnerabilities in main.php in Contao (formerly TYPOlight) 2.11.0 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) delete users via a delete action in the user module, (2) delete news via a delete action in the news module, or (3) delete newsletters via a delete action in the newsletters module. Varias vulnerabilidades de falsificación de peticiónes en sitios cruzados(CSRF) en main.php en Contao (antes TYPOligh... • https://www.exploit-db.com/exploits/18527 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 106EXPL: 1CVE-2011-4335 – ContaoCMS 2.10.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-4335
28 Nov 2011 — Multiple cross-site scripting (XSS) vulnerabilities in Contao before 2.10.2 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php in a (1) teachers.html or (2) teachers/ action. Multiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en Contao antes de la versión v2.10.2 permiten a atacantes remotos inyectar secuencias de comandos web o HTML a través de la variable parámetro PATH_INFO a index.php en una acción (1) teachers.html ó (2) teachers/ acci... • https://www.exploit-db.com/exploits/36225 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2011-0508
https://notcve.org/view.php?id=CVE-2011-0508
20 Jan 2011 — Cross-site scripting (XSS) vulnerability in system/modules/comments/Comments.php in Contao CMS 2.9.2, and possibly other versions before 2.9.3, allows remote attackers to inject arbitrary web script or HTML via the HTTP X_FORWARDED_FOR header, which is stored by system/libraries/Environment.php but not properly handled by a comments action to main.php. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en system/modules/comments/Comments.php en Contao CMS v2.9.2, y posiblemente o... • http://dev.contao.org/issues/2751 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •