Affected versions of
contao/core are vulnerable to SQL Injection.
Both the search filter in the back end and the "listing" module in the front end are vulnerable. To exploit the vulnerability in the back end, a back end user has to be logged in, whereas the front end vulnerability can be exploited by anyone.
contao/core to version 3.5.31 or higher.