GitHub Advisory DatabaseGHSA-J55W-HJPJ-825GContao: Insufficient BBCode sanitizer
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
7 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%
Impact
If BBCode is enabled for comments, users can inject CSS styles.
Patches
Update to Contao 4.13.40 or 5.3.4.
Workarounds
Disable BBCode for comments.
References
https://contao.org/en/security-advisories/insufficient-bbcode-sanitization
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| contao/comments-bundle | lt | 5.3.4 | |
| contao/comments-bundle | ge | 2.0.0 | |
| contao/comments-bundle | lt | 4.13.40 |
References
contao.org/en/security-advisories/insufficient-bbcode-sanitization
github.com/advisories/GHSA-j55w-hjpj-825g
github.com/contao/contao/commit/55b995d8d35da0d36bc6a22c53fe6423ab0c4ae2
github.com/contao/contao/commit/6d42e667177c972ae7c219645593c262d7764ce2
github.com/contao/contao/security/advisories/GHSA-j55w-hjpj-825g
nvd.nist.gov/vuln/detail/CVE-2024-28234
Related
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
7 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%