GoogleOSV:GHSA-747V-52C4-8VJ8Contao: Unencoded insert tags in the frontend
3.1 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
3.8 Low
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%
Impact
It is possible to inject insert tags via the form generator if the submitted form data is output on the page in a specific way.
Patches
Update to Contao 4.13.40 or 5.3.4.
Workarounds
Do not output the submitted form data on the website.
References
https://contao.org/en/security-advisories/insert-tag-injection-via-the-form-generator
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
References
contao.org/en/security-advisories/insert-tag-injection-via-the-form-generator
github.com/contao/contao
github.com/contao/contao/commit/388859dcf110ca70e0fae68a2a5579ab6a702919
github.com/contao/contao/commit/474a2fc25f1d84d786aba8c6d234af99e64d016b
github.com/contao/contao/security/advisories/GHSA-747v-52c4-8vj8
nvd.nist.gov/vuln/detail/CVE-2024-28191
Related
3.1 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
3.8 Low
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%