Leofeyer

**Name of the Vulnerable Software and Affected Versions** Contao versions 4.9.0 through 4.13.39 Contao versions 5.0.0 through 5.3.3 **Description** The issue arises when checking for broken links on protected pages, causing Contao to send the cookie header to external URLs. The passed options for the HTTP client are used for all requests. **Recommendations** For Contao versions 4.9.0 through 4.13.39, update to Contao 4.13.40. For Contao versions 5.0.0 through 5.3.3, update to Contao 5.3.4. As a temporary workaround for all affected versions, consider disabling crawling protected pages to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Contao versions 2.0.0 through 4.13.39 Contao versions 5.0.0 through 5.3.3 **Description** The issue allows injection of CSS styles via BBCode in comments. Installations are only affected if BBCode is enabled for comments. **Recommendations** For Contao versions 2.0.0 through 4.13.39, update to Contao 4.13.40. For Contao versions 5.0.0 through 5.3.3, update to Contao 5.3.4. As a temporary workaround for all affected versions, consider disabling BBCode for comments to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Contao versions prior to 4.9.40 Contao versions prior to 4.13.21 Contao versions prior to 5.1.4 **Description** Contao is an open source content management system. Prior to versions 4.9.40, 4.13.21, and 5.1.4, logged in users can list arbitrary system files in the file manager by manipulating the Ajax request. However, it is not possible to read the contents of these files. **Recommendations** Update to Contao 4.9.40 to receive a patch. Update to Contao 4.13.21 to receive a patch. Update to Contao 5.1.4 to receive a patch. As a temporary workaround, consider restricting access to the file manager for logged-in users until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Contao versions prior to 4.13.3 **Description** The issue allows untrusted users to inject malicious code into the canonical tag, which is then executed on the web page. This can be done in versions of Contao prior to 4.13.3. As a temporary measure, users may disable canonical tags in the root page settings to mitigate the risk. **Recommendations** Update to Contao 4.13.3. As a temporary workaround, consider disabling canonical tags in the root page settings until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Contao versions prior to 4.4.56 Contao versions prior to 4.9.18 Contao versions prior to 4.11.7 **Description** The issue is related to incorrect code generation management in Contao, allowing an attacker to load arbitrary PHP files via insert tags in the Contao back end. This can impact the confidentiality, integrity, and availability of protected information. Installations are only affected if they have untrusted back end users who have the rights to modify fields that are shown in the front end. **Recommendations** Update to Contao 4.4.56 to resolve the issue. Update to Contao 4.9.18 to resolve the issue. Update to Contao 4.11.7 to resolve the issue. If you cannot update, disable the login for untrusted back end users as a temporary workaround.

**Name of the Vulnerable Software and Affected Versions** Contao versions prior to 4.4.56 Contao versions prior to 4.9.18 Contao versions prior to 4.11.7 **Description** Contao is an open source CMS that allows creation of websites and scalable web applications. In affected versions, it is possible to gain privileged rights in the Contao back end. This issue affects installations with untrusted back end users who have access to the form generator. **Recommendations** For versions prior to 4.4.56, update to Contao 4.4.56. For versions prior to 4.9.18, update to Contao 4.9.18. For versions prior to 4.11.7, update to Contao 4.11.7. As a temporary workaround, consider disabling the form generator or disabling the login for untrusted back end users.

Name of the Vulnerable Software and Affected Versions: Contao versions 4.5.x through 4.9.x before 4.9.16 Contao versions 4.10.x through 4.11.x before 4.11.5 Description: The issue allows XSS, making it possible to inject code into the `tl log` table that will be executed in the browser when the system log is called in the back end. Recommendations: Update to Contao 4.9.16 for versions 4.5.x through 4.9.x before 4.9.16. Update to Contao 4.11.5 for versions 4.10.x through 4.11.x before 4.11.5. As a temporary workaround, consider disabling the system log module in the back end for all users, especially admin users, until a patch is applied.