Already a customer?
Log in now
You would like to become a customer?
Test trakked now
The security releases Contao 4.4.56, 4.9.18 and 4.11.7 fix three vulnerabilities at once (CVE-2021-35955, CVE-2021-37627 and CVE-2021-37626). One of them was reported from outside, the other two were found by core developer Martin Auswöger. Martin himself developed the patches for all three vulnerabilities and all three target versions. An extremely time-consuming and non-trivial work. Many thanks to you, dear Martin! By the way: He owns a GitHub Sponsors profile for all readers who want to acknowledge his work.
- Prevent privilege escalation with the form generator (CVE-2021-37627)
- Prevent PHP file inclusion via insert tags (CVE-2021-37626)
- Prevent XSS via HTML attributes in the back end (CVE-2021-35955)
Vulnerability details
The full post is only visible for trakked customers
About Contao 4.9 LTS
The first stable version of Contao 4.9 has been released on February 18, 2020, replacing Contao 4.4 as the long term support version. As an LTS version, 4.9 has been be provided with bug fixes until February 14, 2023 and security-related updates until February 14, 2024. Contao 4.13 was the next LTS version of Contao and has been released in February 2022, ensuring a stress-free transition.
Add a comment