8.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
6.9 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%
If the crawler is set to crawl protected pages, it sends the cookie header to externals URLs.
Update to Contao 4.13.40 or 5.3.4.
Disable crawling protected pages.
https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler
If you have any questions or comments about this advisory, open an issue in contao/contao.
CPE | Name | Operator | Version |
---|---|---|---|
contao/core-bundle | lt | 5.3.4 | |
contao/core-bundle | lt | 4.13.40 |
contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler
github.com/advisories/GHSA-9jh5-qf84-x6pr
github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php#L129
github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16
github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d
github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr
nvd.nist.gov/vuln/detail/CVE-2024-28235
8.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
6.9 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%