CVE-2024-28191

Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, it is possible to inject insert tags in frontend forms if the output is structured in a very specific way. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, do not output user data from frontend forms next to each other, always separate them by at least one character.

CVSS v3 3.1 LOW

3.1^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://contao.org/en/security-advisories/insert-tag-injection-via-the-form-generator
https://github.com/contao/contao/commit/388859dcf110ca70e0fae68a2a5579ab6a702919
https://github.com/contao/contao/commit/474a2fc25f1d84d786aba8c6d234af99e64d016b
https://github.com/contao/contao/security/advisories/GHSA-747v-52c4-8vj8

Configurations

No configuration.

History

09 Apr 2024, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-04-09 14:15

Updated : 2024-04-10 13:24

NVD link : CVE-2024-28191

Mitre link : CVE-2024-28191

CVE.ORG link : CVE-2024-28191

JSON object : View

Products Affected

No product.

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

3.1 /10