Lucene search

Contao orgCONTAO:INSERT-TAG-INJECTION-VIA-THE-FORM-GENERATOR

HistoryApr 09, 2024 - 12:00 a.m.

Insert tag injection via the form generator

2024-04-0900:00:00

Contao org

contao.org

tag injection

form generator

contao vulnerability

upgrade

workaround

security advisory

data output

3.1 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

6.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

JSON

Date: 2024-04-09 CVE ID: CVE-2024-28191

It is possible to inject insert tags via the form generator if the submitted form data is output on the page in a specific way.

Affected versions

Contao 4.0
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4
Contao 4.5
Contao 4.6
Contao 4.7
Contao 4.8
Contao 4.9
Contao 4.10
Contao 4.11
Contao 4.12
Contao 4.13 up to 4.13.39
Contao 5.0
Contao 5.1
Contao 5.2
Contao 5.3 up to 5.3.3

Suggested solution

Upgrade to Contao 4.13.40 or 5.3.4.

Workaround

Do not output the submitted form data on the website.

More information

<https://github.com/contao/contao/security/advisories/GHSA-747v-52c4-8vj8>

CPENameOperatorVersion
contaoeq4.0
contaoeq4.1
contaoeq4.2
contaoeq4.3
contaoeq4.4
contaoeq4.5
contaoeq4.6
contaoeq4.7
contaoeq4.8
contaoeq4.9

Name	Operator	Version
contao	eq	4.0
contao	eq	4.1
contao	eq	4.2
contao	eq	4.3
contao	eq	4.4
contao	eq	4.5
contao	eq	4.6
contao	eq	4.7
contao	eq	4.8
contao	eq	4.9

Rows per page:

1-10 of 181

3.1 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

6.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

JSON

Related for CONTAO:INSERT-TAG-INJECTION-VIA-THE-FORM-GENERATOR