Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called in the back end.
{ "versions": [ { "introduced": "4.5.0" }, { "fixed": "4.9.16" }, { "introduced": "4.10.0" }, { "fixed": "4.11.5" } ] }
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-35210.json"