|Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')|
|Vulnerability||Severity Score||Release Date||Summary|
|CVE-2011-4335||4.3||Nov. 28, 2011||
Multiple cross-site scripting (XSS) vulnerabilities in Contao before 2.10.2 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php in a (1) teachers.html or (2) teachers/ action.
|CVE-2012-1297||6.8||March 19, 2012||
Multiple cross-site request forgery (CSRF) vulnerabilities in main.php in Contao (formerly TYPOlight) 2.11.0 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) delete users via a delete action in the user module, (2) delete news via a delete action in the news module, or (3) delete newsletters via a delete action in the newsletters module.