Fabian Brenner

**Name of the Vulnerable Software and Affected Versions** Contao versions 4.0.0 through 4.9.41 Contao versions 4.13.0 through 4.13.27 Contao versions 5.0.0 through 5.1.9 **Description** Contao is an open source content management system. It is possible for untrusted backend users to inject malicious code into headline fields in the back end, which will be executed both in the element preview and on the website. Installations are only affected if there are untrusted back end users who have the rights to modify headline fields, or other fields using the input unit widget. **Recommendations** For Contao versions 4.0.0 through 4.9.41, update to Contao 4.9.42. For Contao versions 4.13.0 through 4.13.27, update to Contao 4.13.28. For Contao versions 5.0.0 through 5.1.9, update to Contao 5.1.10. As a temporary workaround, consider disabling the login for all untrusted back end users.