Description
Multiple cross-site request forgery (CSRF) vulnerabilities in main.php in Contao (formerly TYPOlight) 2.11.0 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) delete users via a delete action in the user module, (2) delete news via a delete action in the news module, or (3) delete newsletters via a delete action in the newsletters module.
Exploits (1)
References (5)
Core 5
Core References
Various Sources x_refsource_misc
http://ivanobinetti.blogspot.com/2012/02/contaocms-fka-typolight-211-csrf-delete.html
Exploit exploit
x_refsource_exploit-db
http://www.exploit-db.com/exploits/18527
Exploit x_refsource_misc
http://packetstormsecurity.org/files/110214/ContaoCMS-2.11.0-Cross-Site-Request-Forgery.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/73479
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/48180
Scores
EPSS
0.0034
EPSS Percentile
57.1%
Details
CWE
CWE-352
Status
published
Products (47)
contao/contao_cms
2.0 (3 CPE variants)
contao/contao_cms
2.1.0
contao/contao_cms
2.1.1
contao/contao_cms
2.1.2
contao/contao_cms
2.1.3
contao/contao_cms
2.1.4
contao/contao_cms
2.1.5
contao/contao_cms
2.1.6
contao/contao_cms
2.1.7
contao/contao_cms
2.1.8
... and 37 more
Published
Mar 19, 2012
Tracked Since
Feb 18, 2026