5.4

CVE-2024-28191

Contao may have unencoded insert tags in the frontend

Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, it is possible to inject insert tags in frontend forms if the output is structured in a very specific way. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, do not output user data from frontend forms next to each other, always separate them by at least one character.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ContaoContao Version >= 4.0.0 < 4.13.40
ContaoContao Version >= 5.0.0 < 5.3.4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.5% 0.386
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.4 2.8 2.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
security-advisories@github.com 3.1 1.6 1.4
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

https://contao.org/en/security-advisories/insert-tag-injection-via-the-form-generator
Vendor Advisory
https://github.com/contao/contao/commit/388859dcf110ca70e0fae68a2a5579ab6a702919
Patch
https://github.com/contao/contao/commit/474a2fc25f1d84d786aba8c6d234af99e64d016b
Patch
https://github.com/contao/contao/security/advisories/GHSA-747v-52c4-8vj8
Vendor Advisory