Security Advisories - contao/core - Packagist

contao/core Security Advisories for 3.1.2 (9)

[CRITICAL] Existing sessions are not correctly invalidated when a user changes their password

PKSA-fcyb-3n6p-v7sp CVE-2019-10641 GHSA-vcgg-hp4r-87gx

Affected version: >=3.0.0,<3.5.39

Reported by:
FriendsOfPHP/security-advisories, GitHub
[MEDIUM] Cross-site scripting (XSS) vulnerability in the system log of the back end

PKSA-ftwh-331g-zg9s CVE-2018-10125 GHSA-pj4j-287j-f742

Affected version: >=3.0.0,<3.5.35

Reported by:
FriendsOfPHP/security-advisories, GitHub
[MEDIUM] XSS vulnerabililty in the front end "unsubscribe" module of the newsletter extension

PKSA-ypy6-knh4-dm44 CVE-2018-5478 GHSA-mpg7-2rx9-h5qp

Affected version: >=3.0.0,<3.5.32

Reported by:
FriendsOfPHP/security-advisories, GitHub
SQL injection vulnerabililty in the back end search filter and the front end listing module

PKSA-pg9r-grpr-kp14 CVE-2017-16558

Affected version: >=3.0.0,<3.5.31

Reported by:
FriendsOfPHP/security-advisories
[HIGH] A logged in back end user can include arbitrary existing PHP files by manipulating an URL parameter

PKSA-rsrx-gn7x-r7yr CVE-2017-10993 GHSA-x5g4-crxq-qxjx

Affected version: >=3.0.0,<3.5.28

Reported by:
FriendsOfPHP/security-advisories, GitHub
[MEDIUM] Cross-site scripting (XSS) vulnerability in flashmediaelement.swf in MediaElement.js before 2.11.2 (see CVE-2013-1967)

PKSA-v6fz-d2wr-384f CVE-2016-4567 GHSA-277w-qpxr-2549

Affected version: >=3.0.0,<3.5.15

Reported by:
FriendsOfPHP/security-advisories, GitHub
[MEDIUM] A directory traversal vulnerability allows back end users to view files outside their document root

PKSA-mygf-dtyk-5jmz CVE-2015-0269 GHSA-4r6g-xhx7-fm36

Affected version: >=2.0.0,<3.0.0|>=3.0.0,<3.4.4

Reported by:
FriendsOfPHP/security-advisories, GitHub
[CRITICAL] Insufficient input validation allows for code injection and remote execution

PKSA-r8p4-983n-brfy GHSA-wxxw-5gq6-j2g5

Affected version: >=2.0.0,<2.11.17|>=3.0.0,<3.2.9

Reported by:
FriendsOfPHP/security-advisories, GitHub
[HIGH] PHP object injection vulnerability allows for arbitrary code execution

PKSA-kg5m-pjr6-ystg GHSA-wq43-8r5p-w3mc

Affected version: >=2.0.0,<2.11.16|>=3.0.0,<3.2.7

Reported by:
FriendsOfPHP/security-advisories, GitHub