4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
36.1%
It is possible to inject code into the tl_log
table that will be executed in the browser when the system log is called in the back end.
Update to Contao 4.9.16 or 4.11.5.
Disable the system log module in the back end for all users (especially admin users).
https://contao.org/en/security-advisories/cross-site-scripting-in-the-system-log-2021
If you have any questions or comments about this advisory, open an issue in contao/contao.
CPE | Name | Operator | Version |
---|---|---|---|
contao/contao | lt | 4.11.5 | |
contao/contao | lt | 4.9.16 | |
contao/core-bundle | lt | 4.11.5 | |
contao/core-bundle | lt | 4.9.16 |
contao.org/en/security-advisories/cross-site-scripting-in-the-system-log-2021.html
github.com/advisories/GHSA-h58v-c6rf-g9f7
github.com/contao/contao/security/advisories/GHSA-h58v-c6rf-g9f7
github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2021-35210.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2021-35210.yaml
nvd.nist.gov/vuln/detail/CVE-2021-35210
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
36.1%