CVE-2024-28190 — Cross-site Scripting in Contao

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

1.4%

top 19.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Contao Contao Core-bundle

Timeline

PublishedApr 9

Description

Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can inject malicious code in filenames when uploading files (back end and front end), which is then executed in tooltips and popups in the back end. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, remove upload fields from frontend forms and disable uploads for untrusted back end users.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶NVDcontao/contao4.0.0 — 4.13.40+1

▶Packagistcontao/core-bundle4.0.0 — 4.13.40+1

▶CVEListV5contao/contao>= 4.0.0, < 4.13.40, >= 5.0.0, < 5.3.4+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Contao: Cross site scripting in the file manager↗2024-04-09

▶

CVEList

Contao core bundle vulnerable to cross site scripting in the file manager↗2024-04-09

▶

GHSA

Contao: Cross site scripting in the file manager↗2024-04-09

▶