Lucene search

GitHub Advisory DatabaseGHSA-4GPR-P634-922X

HistoryJul 25, 2023 - 5:19 p.m.

Cross site scripting via input unit widget

2023-07-2517:19:10

CWE-79

GitHub Advisory Database

github.com

cross site scripting

input widget

contao update

backend users

security advisory

vulnerability report

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

0.001 Low

EPSS

Percentile

26.5%

JSON

Impact

Authenticated users can inject malicious code in widgets with units, which is then executed both in the element preview (back end) and on the website (front end).

Patches

Update to Contao 4.9.42, 4.13.28 or 5.1.10.

Workarounds

Disable login for all untrusted back end users.

References

https://contao.org/en/security-advisories/cross-site-scripting-in-widgets-with-units

For more information

If you have any questions or comments about this advisory, open an issue in contao/contao.

Credits

Thanks to Christian Pöschl and Fabian Brenner from usd AG for reporting this vulnerability.

Affected configurations

Vulners

Node

contaocontaoRange<5.1.10

contaocontaoRange<4.13.28

contaocontaoRange<4.9.42

CPENameOperatorVersion
contao/core-bundlelt5.1.10
contao/core-bundlelt4.13.28
contao/core-bundlelt4.9.42

Name	Operator	Version
contao/core-bundle	lt	5.1.10
contao/core-bundle	lt	4.13.28
contao/core-bundle	lt	4.9.42

References

github.com/advisories/GHSA-4gpr-p634-922x

github.com/contao/contao/commit/5c9aff32cfc1f7dc452a045862ac2f86a6b9b4b4

github.com/contao/contao/commit/c98585d36baa25fda69c062421e7e7eadc53c82b

github.com/contao/contao/commit/ccb64c777eb0f9c0e6490c9135d80e915d37cd32

github.com/contao/contao/security/advisories/GHSA-4gpr-p634-922x

herolab.usd.de/security-advisories/usd-2023-0020/

nvd.nist.gov/vuln/detail/CVE-2023-36806