Affected versions of
contao/core-bundle are vulnerable to SQL Injection
Both the search filter in the back end and the "listing" module in the front end are vulnerable. To exploit the vulnerability in the back end, a back end user has to be logged in, whereas the front end vulnerability can be exploited by anyone.
contao/core-bundle to versions 3.5.30, 4.4.8 or higher.