8.3

CVE-2024-28235

Contao possible cookie sharing with external domains while checking protected pages for broken links

Contao is an open source content management system. Starting in version 4.9.0 and prior to versions 4.13.40 and 5.3.4, when checking for broken links on protected pages, Contao sends the cookie header to external urls as well, the passed  options for the http client are used for all requests. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, disable crawling protected pages.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ContaoContao Version >= 4.9.0 < 4.13.40
ContaoContao Version >= 5.0.0 < 5.3.4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.71% 0.486
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com 8.3 1.6 6
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler
Vendor Advisory
https://github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php#L129
Product
https://github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16
Patch
https://github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d
Patch
https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr
Vendor Advisory