Lucene search

GoogleOSV:CVE-2023-36806

HistoryJul 25, 2023 - 7:15 p.m.

CVE-2023-36806

2023-07-2519:15:11

Google

osv.dev

contao cms

injection vulnerability

untrusted users

backend

security patch

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.5%

JSON

Contao is an open source content management system. Starting in version 4.0.0 and prior to versions 4.9.42, 4.13.28, and 5.1.10, it is possible for untrusted backend users to inject malicious code into headline fields in the back end, which will be executed both in the element preview (back end) and on the website (front end). Installations are only affected if there are untrusted back end users who have the rights to modify headline fields, or other fields using the input unit widget. Contao 4.9.42, 4.13.28, and 5.1.10 have a patch for this issue. As a workaround, disable the login for all untrusted back end users.

CPENameOperatorVersion
contaoeq4.4.51
contaoeq4.8.4
contaoeq4.10.2
contaoeq4.12.2
contaoeq4.9.18
contaoeq4.9.5
contaoeq4.9.28
contaoeq5.0.0-RC2
contaoeq4.11.6
contaoeq4.13.0-RC2

Name	Operator	Version
contao	eq	4.4.51
contao	eq	4.8.4
contao	eq	4.10.2
contao	eq	4.12.2
contao	eq	4.9.18
contao	eq	4.9.5
contao	eq	4.9.28
contao	eq	5.0.0-RC2
contao	eq	4.11.6
contao	eq	4.13.0-RC2

Rows per page:

1-10 of 2121

References

github.com/contao/contao/commit/5c9aff32cfc1f7dc452a045862ac2f86a6b9b4b4

github.com/contao/contao/commit/c98585d36baa25fda69c062421e7e7eadc53c82b

github.com/contao/contao/commit/ccb64c777eb0f9c0e6490c9135d80e915d37cd32

github.com/contao/contao/security/advisories/GHSA-4gpr-p634-922x

herolab.usd.de/security-advisories/usd-2023-0020/