6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
0.001 Low
EPSS
Percentile
26.5%
Authenticated users can inject malicious code in widgets with units, which is then executed both in the element preview (back end) and on the website (front end).
Update to Contao 4.9.42, 4.13.28 or 5.1.10.
Disable login for all untrusted back end users.
https://contao.org/en/security-advisories/cross-site-scripting-in-widgets-with-units
If you have any questions or comments about this advisory, open an issue in contao/contao.
Thanks to Christian PΓΆschl and Fabian Brenner from usd AG for reporting this vulnerability.
github.com/contao/contao
github.com/contao/contao/commit/5c9aff32cfc1f7dc452a045862ac2f86a6b9b4b4
github.com/contao/contao/commit/c98585d36baa25fda69c062421e7e7eadc53c82b
github.com/contao/contao/commit/ccb64c777eb0f9c0e6490c9135d80e915d37cd32
github.com/contao/contao/security/advisories/GHSA-4gpr-p634-922x
herolab.usd.de/security-advisories/usd-2023-0020
nvd.nist.gov/vuln/detail/CVE-2023-36806