CVE-2024-28191
Severity CVSS v4.0:
Pending analysis
Type:
CWE-74
Injection
Publication date:
09/04/2024
Last modified:
17/01/2025
Description
Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, it is possible to inject insert tags in frontend forms if the output is structured in a very specific way. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, do not output user data from frontend forms next to each other, always separate them by at least one character.
Impact
Base Score 3.x
3.10
Severity 3.x
LOW
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:* | 4.0.0 (including) | 4.13.40 (excluding) |
| cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:* | 5.0.0 (including) | 5.3.4 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://contao.org/en/security-advisories/insert-tag-injection-via-the-form-generator
- https://github.com/contao/contao/commit/388859dcf110ca70e0fae68a2a5579ab6a702919
- https://github.com/contao/contao/commit/474a2fc25f1d84d786aba8c6d234af99e64d016b
- https://github.com/contao/contao/security/advisories/GHSA-747v-52c4-8vj8
- https://contao.org/en/security-advisories/insert-tag-injection-via-the-form-generator
- https://github.com/contao/contao/commit/388859dcf110ca70e0fae68a2a5579ab6a702919
- https://github.com/contao/contao/commit/474a2fc25f1d84d786aba8c6d234af99e64d016b
- https://github.com/contao/contao/security/advisories/GHSA-747v-52c4-8vj8