Alexander Wuttke

**Name of the Vulnerable Software and Affected Versions** Contao versions 4.0.0 through 4.13.39 Contao versions 5.0.0 through 5.3.3 **Description** Contao is an open source content management system. Users can inject malicious code in filenames when uploading files, which is then executed in tooltips and popups in the back end. This issue affects both the back end and front end of the system. **Recommendations** For Contao versions 4.0.0 through 4.13.39, update to Contao 4.13.40. For Contao versions 5.0.0 through 5.3.3, update to Contao 5.3.4. As a temporary workaround, remove upload fields from frontend forms and disable uploads for untrusted back end users. Disable uploads for untrusted users to minimize the risk of exploitation.