Description
Multiple cross-site scripting (XSS) vulnerabilities in Contao before 2.10.2 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php in a (1) teachers.html or (2) teachers/ action.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Stefan Schurtz · textwebappsphp
https://www.exploit-db.com/exploits/36225
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/520046/100/0/threaded
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2011/11/21/30
Various Sources x_refsource_confirm
http://dev.contao.org/projects/typolight/repository/revisions/1041
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2011/11/22/1
Various Sources x_refsource_misc
http://www.rul3z.de/advisories/SSCHADV2011-025.txt
Scores
EPSS
0.0043
EPSS Percentile
62.8%
Details
CWE
CWE-79
Status
published
Products (46)
contao/contao_cms
2.0 (4 CPE variants)
contao/contao_cms
2.1.0
contao/contao_cms
2.1.1
contao/contao_cms
2.1.2
contao/contao_cms
2.1.3
contao/contao_cms
2.1.4
contao/contao_cms
2.1.5
contao/contao_cms
2.1.6
contao/contao_cms
2.1.7
contao/contao_cms
2.1.8
... and 36 more
Published
Nov 28, 2011
Tracked Since
Feb 18, 2026