CVE ID: CVE-2019-10642
The request token check can be bypassed. The problem affects Contao 4.7 and has been fixed in Contao 4.7.3.
CVE ID: CVE-2019-10641
User sessions are not invalidated if a user changes their password. The problem affects all Contao versions and has been fixed in Contao 3.5.39, 4.4.37 and 4.7.3.
On April 9th, 2019, we will release updates for Contao 3.5, 4.4 and 4.7, which fix several security vulnerabilities.
Every year, the Contao Core development team meets twice for a short code sprint of three days.
Contao version 4.7.0 is available. The release contains new features such as native fonts in the back end, drag and drop in the template editor, an opt-in service, an improved front end preview bar, additional SEO settings for news and events and a lot more.
CVE ID: CVE-2018-20028
Logged in back end users can view records which have not been enabled for them. The problem affects all Contao versions and has been fixed in Contao 3.5.37, 4.4.31 and 4.6.11.
Contao Manager version 1.1.0 is available. The release contains a new System Recovery feature, advanced installation options and improved package search results.
CVE ID: CVE-2018-17057
A vulnerability in TCPDF allows for arbitrary code execution. The problem affects all Contao versions and has been fixed in Contao 3.5.36, 4.4.25 and 4.6.4.
Contao version 3.5.36 is available. The bugfix release fixes a code execution vulnerability when generating PDFs (CVE-2018-17057).
Contao version 4.6.0 is available. The release contains new features such as 2-factor authentication in the back end, drag and drop in the file manager, extended video support and automatic cache invalidation.