Moritz Vondano

Name of the Vulnerable Software and Affected Versions: Contao versions 4.0.0 through 4.4.55 Contao versions 4.0.0 through 4.9.17 Contao versions 4.0.0 through 4.11.6 Description: The issue allows backend cross-site scripting (XSS) via HTML attributes to an HTML field. This can be exploited by untrusted users who have the rights to modify HTML fields, such as those using TinyMCE. The malicious code can be executed both in the element preview in the back end and on the website in the front end. Recommendations: For Contao versions 4.0.0 through 4.4.55, update to Contao 4.4.56. For Contao versions 4.0.0 through 4.9.17, update to Contao 4.9.18. For Contao versions 4.0.0 through 4.11.6, update to Contao 4.11.7. As a temporary workaround, consider disabling all fields that allow HTML for untrusted back end users or disable the login for these users.