Security update on April 9th, 2019

On April 9th, 2019, we will release updates for Contao 3.5, 4.4 and 4.7, which fix several security vulnerabilities.

Recap of the first Contao Core Developers Meeting 2019

Every year, the Contao Core development team meets twice for a short code sprint of three days.

Contao 4.7.0 is available

Contao version 4.7.0 is available. The release contains new features such as native fonts in the back end, drag and drop in the template editor, an opt-in service, an improved front end preview bar, additional SEO settings for news and events and a lot more.

Viewing unauthorized records in the back end

Date: 2018-12-13
CVE ID: CVE-2018-20028

Logged in back end users can view records which have not been enabled for them. The problem affects all Contao versions and has been fixed in Contao 3.5.37, 4.4.31 and 4.6.11.

Contao Manager 1.1.0 is available

Contao Manager version 1.1.0 is available. The release contains a new System Recovery feature, advanced installation options and improved package search results.

Arbitrary code execution in TCPDF

Date: 2018-09-18
CVE ID: CVE-2018-17057

A vulnerability in TCPDF allows for arbitrary code execution. The problem affects all Contao versions and has been fixed in Contao 3.5.36, 4.4.25 and 4.6.4.

Contao 3.5.36 is available

Contao version 3.5.36 is available. The bugfix release fixes a code execution vulnerability when generating PDFs (CVE-2018-17057).

Contao 4.6.0 is available

Contao version 4.6.0 is available. The release contains new features such as 2-factor authentication in the back end, drag and drop in the file manager, extended video support and automatic cache invalidation.

Contao 4.5.10 is available

Contao version 4.5.10 is available. The bugfix release restores the compatibility with Symfony 3.4.12.

Contao 4.4.20 is available

Contao version 4.4.20 is available. The bugfix release restores the compatibility with Symfony 3.4.12.