Contao orgCONTAO:CROSS-SITE-SCRIPTING-IN-THE-SYSTEM-LOGCross site scripting in the system log
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
33.8%
Date: 2021-06-23 CVE ID: CVE-2021-35210
Description
It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called in the back end. The attacker does not have to be logged in.
Affected versions
Contao 4.5
Contao 4.6
Contao 4.7
Contao 4.8
Contao 4.9 up to 4.9.15
Contao 4.10
Contao 4.11 up to 4.11.4
Suggested solution
Update to Contao 4.9.16 or 4.11.5.
Workaround
Disable the system log module in the back end for all users (especially admin users).
More information
<https://github.com/contao/contao/security/advisories/GHSA-h58v-c6rf-g9f7>
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
33.8%