GitHub Advisory DatabaseGHSA-9JH5-QF84-X6PRContao: Possible cookie sharing with external domains while checking protected pages for broken links
8.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
6.9 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%
Impact
If the crawler is set to crawl protected pages, it sends the cookie header to externals URLs.
Patches
Update to Contao 4.13.40 or 5.3.4.
Workarounds
Disable crawling protected pages.
References
https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| contao/core-bundle | lt | 5.3.4 | |
| contao/core-bundle | lt | 4.13.40 |
References
contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler
github.com/advisories/GHSA-9jh5-qf84-x6pr
github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php#L129
github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16
github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d
github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr
nvd.nist.gov/vuln/detail/CVE-2024-28235
Related
8.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
6.9 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%