GoogleOSV:GHSA-4GPR-P634-922XCross site scripting via input unit widget
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
0.001 Low
EPSS
Percentile
26.5%
Impact
Authenticated users can inject malicious code in widgets with units, which is then executed both in the element preview (back end) and on the website (front end).
Patches
Update to Contao 4.9.42, 4.13.28 or 5.1.10.
Workarounds
Disable login for all untrusted back end users.
References
https://contao.org/en/security-advisories/cross-site-scripting-in-widgets-with-units
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
Credits
Thanks to Christian PΓΆschl and Fabian Brenner from usd AG for reporting this vulnerability.
References
github.com/contao/contao
github.com/contao/contao/commit/5c9aff32cfc1f7dc452a045862ac2f86a6b9b4b4
github.com/contao/contao/commit/c98585d36baa25fda69c062421e7e7eadc53c82b
github.com/contao/contao/commit/ccb64c777eb0f9c0e6490c9135d80e915d37cd32
github.com/contao/contao/security/advisories/GHSA-4gpr-p634-922x
herolab.usd.de/security-advisories/usd-2023-0020
nvd.nist.gov/vuln/detail/CVE-2023-36806
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
0.001 Low
EPSS
Percentile
26.5%