CVE-2024-28191 — Injection in Contao

CWE-74 — Injection4 documents4 sources

Severity

5.4MEDIUMNVD

CNA3.1

EPSS

1.0%

top 23.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Contao Contao Core-bundle

Timeline

PublishedApr 9

Description

Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, it is possible to inject insert tags in frontend forms if the output is structured in a very specific way. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, do not output user data from frontend forms next to each other, always separate them by at least one character.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

▶NVDcontao/contao4.0.0 — 4.13.40+1

▶Packagistcontao/core-bundle4.0.0 — 4.13.40+1

▶CVEListV5contao/contao>= 4.0.0, < 4.13.40, >= 5.0.0, < 5.3.4+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Contao: Unencoded insert tags in the frontend↗2024-04-09

▶

CVEList

Contao may have unencoded insert tags in the frontend↗2024-04-09

▶

GHSA

Contao: Unencoded insert tags in the frontend↗2024-04-09

▶