GitHub Advisory DatabaseGHSA-V24P-7P4J-QVVFContao: Cross site scripting in the file manager
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
7.1 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.7%
Impact
Users can insert malicious code into file names when uploading files, which is then executed in tooltips and popups in the backend.
Patches
Update to Contao 4.13.40 or Contao 5.3.4.
Workarounds
Disable uploads for untrusted users.
References
https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
Credits
Thanks to Alexander Wuttke for reporting this vulnerability.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| contao/core-bundle | lt | 5.3.4 | |
| contao/core-bundle | lt | 4.13.40 |
References
contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager
github.com/advisories/GHSA-v24p-7p4j-qvvf
github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce
github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d
github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf
nvd.nist.gov/vuln/detail/CVE-2024-28190
Related
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
7.1 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.7%