CVE-2011-0508

Name of the Vulnerable Software and Affected Versions Contao CMS versions prior to 2.9.3

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the HTTP X FORWARDED FOR header. This header is stored by system/libraries/Environment.php but not properly handled by a comments action to main.php.

Recommendations For versions prior to 2.9.3, update to version 2.9.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the comments action in main.php until a patch is available. Avoid using the X FORWARDED FOR header in the affected comments module until the issue is resolved.