5.4

CVE-2024-28190

Contao core bundle vulnerable to cross site scripting in the file manager

Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can inject malicious code in filenames when uploading files (back end and front end), which is then executed in tooltips and popups in the back end. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, remove upload fields from frontend forms and disable uploads for untrusted back end users.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ContaoContao Version >= 4.0.0 < 4.13.40
ContaoContao Version >= 5.0.0 < 5.3.4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.5% 0.389
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.4 2.3 2.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com 5.4 2.3 2.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager
Vendor Advisory
https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce
Patch
https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d
Patch
https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf
Vendor Advisory