CVE-2024-28190

Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can inject malicious code in filenames when uploading files (back end and front end), which is then executed in tooltips and popups in the back end. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, remove upload fields from frontend forms and disable uploads for untrusted back end users.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager
https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce
https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d
https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf

Configurations

No configuration.

History

09 Apr 2024, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-04-09 14:15

Updated : 2024-04-10 13:24

NVD link : CVE-2024-28190

Mitre link : CVE-2024-28190

CVE.ORG link : CVE-2024-28190

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10