CVE-2024-28191
LOW severity · CVSS 3.1 · Injection
3.1CVSS LOW
Summary
Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, it is possible to inject insert tags in frontend forms if the output is structured in a very specific way. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, do not output user data from frontend forms next to each other, always separate them by at least one character.
Impact & exploitability
Attack vectorNetwork
Attack complexityHigh
Privileges requiredLow
User interactionNone
Confidentiality impactLow
Integrity impactNone
Availability impactNone
Exploit probability (EPSS)0%
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Affected products we track (1)
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Official patch: https://github.com/contao/contao/commit/388859dcf110ca70e0fae68a2a5579ab6a702919 ↗
Additional information
- NVD record
- https://github.com/contao/contao/commit/388859dcf110ca70e0fae68a2a5579ab6a702919Patch
- https://github.com/contao/contao/commit/474a2fc25f1d84d786aba8c6d234af99e64d016bPatch
- https://contao.org/en/security-advisories/insert-tag-injection-via-the-form-generatorAdvisory
- https://github.com/contao/contao/security/advisories/GHSA-747v-52c4-8vj8Advisory