5.3

CVE-2025-57756

Contao discloses sensitive information in the front end search index

Contao is an Open Source CMS. In versions starting from 4.9.14 and prior to 4.13.56, 5.3.38, and 5.6.1, protected content elements that are rendered as fragments are indexed and become publicly available in the front end search. This issue has been patched in versions 4.13.56, 5.3.38, and 5.6.1. A workaround involves disabling the front end search.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ContaoContao Version >= 4.9.0 <= 4.9.14
ContaoContao Version >= 4.10.0 < 4.13.56
ContaoContao Version >= 5.0.0 < 5.3.38
ContaoContao Version >= 5.4.0 < 5.6.1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.27% 0.177
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-612 Improper Authorization of Index Containing Sensitive Information

The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information.

https://github.com/contao/contao/security/advisories/GHSA-2xmj-8wmq-7475
Patch
Third Party Advisory
https://github.com/contao/contao/commit/a03976c459b6f3985a28f6488b82a76ffb6c0514
Patch
https://contao.org/en/security-advisories/information-disclosure-in-the-front-end-search-index
Vendor Advisory