Security Advisories - contao/core-bundle

contao/core-bundle Security Advisories for 4.11.0-RC2 (11)

[MEDIUM] Contao affected by directory traversal in the file selector widget

PKSA-gkh9-zxxg-dpvd CVE-2024-45604 GHSA-4p75-5p53-65m9

Affected version: <4.13.49

Reported by:
GitHub
[HIGH] Contao affected by remote command execution through file upload

PKSA-5k7g-byhd-8xrm CVE-2024-45398 GHSA-vm6r-j788-hjh5

Affected version: >=5.4.0,<5.4.3|>=5.0.0,<5.3.15|>=4.0.0,<4.13.49

Reported by:
GitHub
[LOW] Contao: Unencoded insert tags in the frontend

PKSA-rk65-kfm6-21d9 CVE-2024-28191 GHSA-747v-52c4-8vj8

Affected version: >=5.0.0-RC1,<5.3.4|>=4.0.0,<4.13.40

Reported by:
GitHub
[MEDIUM] Contao: Cross site scripting in the file manager

PKSA-bxmw-zt4x-f182 CVE-2024-28190 GHSA-v24p-7p4j-qvvf

Affected version: >=5.0.0-RC1,<5.3.4|>=4.0.0,<4.13.40

Reported by:
GitHub
[MEDIUM] Contao: Remember-me tokens will not be cleared after a password change

PKSA-7hz7-f163-3mdr CVE-2024-30262 GHSA-r4r6-j2j3-7pp5

Affected version: <4.13.40

Reported by:
GitHub
[HIGH] Contao: Possible cookie sharing with external domains while checking protected pages for broken links

PKSA-g1qg-mn7d-638g CVE-2024-28235 GHSA-9jh5-qf84-x6pr

Affected version: >=5.0.0-RC1,<5.3.4|>=4.9.0,<4.13.40

Reported by:
GitHub
[MEDIUM] Cross site scripting via input unit widget

PKSA-kc45-s13v-qqqk CVE-2023-36806 GHSA-4gpr-p634-922x

Affected version: >=5.0.0,<5.1.10|>=4.10.0,<4.13.28|>=4.0.0,<4.9.42

Reported by:
GitHub
[MEDIUM] Cross site scripting via HTML attributes in the back end

PKSA-s6nh-jp39-2w3w CVE-2021-35955 GHSA-hr3h-x6gq-rqcp

Affected version: >=4.0.0,<4.4.56|>=4.5.0,<4.6.0|>=4.6.0,<4.7.0|>=4.7.0,<4.8.0|>=4.8.0,<4.9.0|>=4.9.0,<4.9.18|>=4.10.0,<4.11.0|>=4.11.0,<4.11.7

Reported by:
FriendsOfPHP/security-advisories, GitHub
[HIGH] Privilege escalation with the form generator

PKSA-6972-2czp-n9y4 CVE-2021-37627 GHSA-hq5m-mqmx-fw6m

Affected version: >=4.0.0,<4.4.56|>=4.5.0,<4.6.0|>=4.6.0,<4.7.0|>=4.7.0,<4.8.0|>=4.8.0,<4.9.0|>=4.9.0,<4.9.18|>=4.10.0,<4.11.0|>=4.11.0,<4.11.7

Reported by:
FriendsOfPHP/security-advisories, GitHub
[MEDIUM] PHP file inclusion via insert tags

PKSA-dqg4-bv6y-y9k1 CVE-2021-37626 GHSA-r6mv-ppjc-4hgr

Affected version: >=4.0.0,<4.4.56|>=4.5.0,<4.6.0|>=4.6.0,<4.7.0|>=4.7.0,<4.8.0|>=4.8.0,<4.9.0|>=4.9.0,<4.9.18|>=4.10.0,<4.11.0|>=4.11.0,<4.11.7

Reported by:
FriendsOfPHP/security-advisories, GitHub
[MEDIUM] Cross-site scripting (XSS) vulnerability in the system log

PKSA-ztzv-8k57-rm9h CVE-2021-35210 GHSA-h58v-c6rf-g9f7

Affected version: >=4.5.0,<4.9.16|>=4.10.0,<4.11.0|>=4.11.0,<4.11.5

Reported by:
FriendsOfPHP/security-advisories, GitHub

contao/core-bundle Security Advisories for 4.11.0-RC2 (11)

[MEDIUM] Contao affected by directory traversal in the file selector widget

[HIGH] Contao affected by remote command execution through file upload

[LOW] Contao: Unencoded insert tags in the frontend

[MEDIUM] Contao: Cross site scripting in the file manager

[MEDIUM] Contao: Remember-me tokens will not be cleared after a password change

[HIGH] Contao: Possible cookie sharing with external domains while checking protected pages for broken links

[MEDIUM] Cross site scripting via input unit widget

[MEDIUM] Cross site scripting via HTML attributes in the back end

[HIGH] Privilege escalation with the form generator

[MEDIUM] PHP file inclusion via insert tags

[MEDIUM] Cross-site scripting (XSS) vulnerability in the system log