Lucene search

Contao orgCONTAO:SESSION-COOKIE-DISCLOSURE-IN-THE-CRAWLER

HistoryApr 09, 2024 - 12:00 a.m.

Session cookie disclosure in the crawler

2024-04-0900:00:00

Contao org

contao.org

session cookie

disclosure

crawler

contao

vulnerability

upgrade

workaround

external urls

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

JSON

Date: 2024-04-09 CVE ID: CVE-2024-28235

If the crawler is set to crawl protected pages, it sends the cookie header to externals URLs.

Affected versions

Contao 4.0
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4
Contao 4.5
Contao 4.6
Contao 4.7
Contao 4.8
Contao 4.9
Contao 4.10
Contao 4.11
Contao 4.12
Contao 4.13 up to 4.13.39
Contao 5.0
Contao 5.1
Contao 5.2
Contao 5.3 up to 5.3.3

Suggested solution

Upgrade to Contao 4.13.40 or 5.3.4.

Workaround

Disable crawling protected pages.

More information

<https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr>

CPENameOperatorVersion
contaoeq4.0
contaoeq4.1
contaoeq4.2
contaoeq4.3
contaoeq4.4
contaoeq4.5
contaoeq4.6
contaoeq4.7
contaoeq4.8
contaoeq4.9

Name	Operator	Version
contao	eq	4.0
contao	eq	4.1
contao	eq	4.2
contao	eq	4.3
contao	eq	4.4
contao	eq	4.5
contao	eq	4.6
contao	eq	4.7
contao	eq	4.8
contao	eq	4.9

Rows per page:

1-10 of 181

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

JSON

Related for CONTAO:SESSION-COOKIE-DISCLOSURE-IN-THE-CRAWLER