Multiple vulnerabilities in Contao
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Cross-site scripting
EUVDB-ID: #VU88878
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-28190
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the file manager. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsContao: 4.0 - 5.3.3
CPE2.3- cpe:2.3:a:contao:contao:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:contao:contao:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:contao:contao:4.0.1:*:*:*:*:*:*:*
https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf
https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce
https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d
https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Neutralization of Special Elements in Output Used by a Downstream Component
EUVDB-ID: #VU88882
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-28234
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient BBCode sanitization. A remote attacker can inject CSS styles.
MitigationInstall updates from vendor's website.
Vulnerable software versionsContao: 4.0 - 5.3.3
CPE2.3- cpe:2.3:a:contao:contao:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:contao:contao:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:contao:contao:4.0.1:*:*:*:*:*:*:*
https://github.com/contao/contao/security/advisories/GHSA-j55w-hjpj-825g
https://github.com/contao/contao/commit/55b995d8d35da0d36bc6a22c53fe6423ab0c4ae2
https://github.com/contao/contao/commit/6d42e667177c972ae7c219645593c262d7764ce2
https://contao.org/en/security-advisories/insufficient-bbcode-sanitization
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Security features bypass
EUVDB-ID: #VU88881
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-30262
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the remember-me tokens are not cleared after a password change. A remote user can gain access to sensitive information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsContao: 4.0 - 4.13.39
CPE2.3- cpe:2.3:a:contao:contao:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:contao:contao:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:contao:contao:4.0.1:*:*:*:*:*:*:*
https://github.com/contao/contao/security/advisories/GHSA-r4r6-j2j3-7pp5
https://github.com/contao/contao/commit/3032baa456f607169ffae82a8920354adb338fe9
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Information disclosure
EUVDB-ID: #VU88880
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-28191
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the insert tag injection via the form generator. A remote attacker can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsContao: 4.0 - 5.3.3
CPE2.3- cpe:2.3:a:contao:contao:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:contao:contao:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:contao:contao:4.0.1:*:*:*:*:*:*:*
https://github.com/contao/contao/security/advisories/GHSA-747v-52c4-8vj8
https://github.com/contao/contao/commit/388859dcf110ca70e0fae68a2a5579ab6a702919
https://github.com/contao/contao/commit/474a2fc25f1d84d786aba8c6d234af99e64d016b
https://contao.org/en/security-advisories/insert-tag-injection-via-the-form-generator
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Information disclosure
EUVDB-ID: #VU88879
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-28235
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to session cookie disclosure in the crawler. A remote user can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsContao: 4.9.0 - 5.3.3
CPE2.3- cpe:2.3:a:contao:contao:4.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:contao:contao:4.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:contao:contao:4.9.2:*:*:*:*:*:*:*
https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr
https://github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16
https://github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d
https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler
https://github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php#L129
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
