CVE-2024-28190
Contao core bundle vulnerable to cross site scripting in the file manager
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can inject malicious code in filenames when uploading files (back end and front end), which is then executed in tooltips and popups in the back end. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, remove upload fields from frontend forms and disable uploads for untrusted back end users.
Contao es un sistema de gestión de contenidos de código abierto. A partir de la versión 4.0.0 y antes de la versión 4.13.40 y 5.3.4, los usuarios pueden inyectar código malicioso en los nombres de archivos al cargar archivos (back-end y front-end), que luego se ejecuta en información sobre herramientas y ventanas emergentes en el back-end. Las versiones 4.13.40 y 5.3.4 de Contao tienen un parche para este problema. Como workaround, elimine los campos de carga de los formularios frontales y deshabilite las cargas para usuarios finales que no sean de confianza.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-03-06 CVE Reserved
- 2024-04-09 CVE Published
- 2024-08-02 CVE Updated
- 2025-01-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager | X_refsource_misc | |
| https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce | X_refsource_misc | |
| https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d | X_refsource_misc | |
| https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Contao Search vendor "Contao" | Contao Search vendor "Contao" for product "Contao" | >= 4.0.0 < 4.13.40 Search vendor "Contao" for product "Contao" and version " >= 4.0.0 < 4.13.40" | en |
Affected
| ||||||
| Contao Search vendor "Contao" | Contao Search vendor "Contao" for product "Contao" | >= 5.0.0 < 5.3.4 Search vendor "Contao" for product "Contao" and version " >= 5.0.0 < 5.3.4" | en |
Affected
| ||||||