Multiple vulnerabilities in Contao
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2024-28190 CVE-2024-28234 CVE-2024-30262 CVE-2024-28191 CVE-2024-28235 |
| CWE-ID | CWE-79 CWE-74 CWE-254 CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Contao Web applications / CMS |
| Vendor | Contao |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Cross-site scripting
EUVDB-ID: #VU88878
Risk: Low
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-28190
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the file manager. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsContao: 4.0 - 5.3.3
External linkshttp://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf
http://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce
http://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d
http://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Neutralization of Special Elements in Output Used by a Downstream Component
EUVDB-ID: #VU88882
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-28234
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient BBCode sanitization. A remote attacker can inject CSS styles.
MitigationInstall updates from vendor's website.
Vulnerable software versionsContao: 4.0 - 5.3.3
External linkshttp://github.com/contao/contao/security/advisories/GHSA-j55w-hjpj-825g
http://github.com/contao/contao/commit/55b995d8d35da0d36bc6a22c53fe6423ab0c4ae2
http://github.com/contao/contao/commit/6d42e667177c972ae7c219645593c262d7764ce2
http://contao.org/en/security-advisories/insufficient-bbcode-sanitization
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Security features bypass
EUVDB-ID: #VU88881
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-30262
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the remember-me tokens are not cleared after a password change. A remote user can gain access to sensitive information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsContao: 4.0 - 4.13.39
External linkshttp://github.com/contao/contao/security/advisories/GHSA-r4r6-j2j3-7pp5
http://github.com/contao/contao/commit/3032baa456f607169ffae82a8920354adb338fe9
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Information disclosure
EUVDB-ID: #VU88880
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-28191
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the insert tag injection via the form generator. A remote attacker can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsContao: 4.0 - 5.3.3
External linkshttp://github.com/contao/contao/security/advisories/GHSA-747v-52c4-8vj8
http://github.com/contao/contao/commit/388859dcf110ca70e0fae68a2a5579ab6a702919
http://github.com/contao/contao/commit/474a2fc25f1d84d786aba8c6d234af99e64d016b
http://contao.org/en/security-advisories/insert-tag-injection-via-the-form-generator
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Information disclosure
EUVDB-ID: #VU88879
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-28235
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to session cookie disclosure in the crawler. A remote user can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsContao: 4.9.0 - 5.3.3
External linkshttp://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr
http://github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16
http://github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d
http://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler
http://github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php#L129
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
