Usdresponsibledisclosure

Name of the Vulnerable Software and Affected Versions: Contao versions prior to 4.13.49 Contao versions prior to 5.3.15 Contao versions prior to 5.4.3 Description: Contao is an Open Source CMS. In affected versions, a back end user with access to the file manager can upload malicious files and execute them on the server. Users are advised to update to mitigate the risk of remote attacks. Recommendations: Update to Contao 4.13.49 to resolve the issue. Update to Contao 5.3.15 to resolve the issue. Update to Contao 5.4.3 to resolve the issue. As a temporary workaround, consider configuring your web server so it does not execute PHP files and other scripts in the Contao file upload directory.

Name of the Vulnerable Software and Affected Versions: Contao versions prior to 4.13.49 Description: The issue allows authenticated users in the back end to list files outside the document root in the file selector widget. There are no known workarounds for this issue. Recommendations: Update to Contao 4.13.49. As a temporary workaround, consider restricting access to the file selector widget until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Oveleon Cookie Bar versions prior to 1.16.3 and 2.1.3 **Description** The `block/locale` endpoint does not properly sanitize the user-controlled `locale` input before including it in the backend's HTTP response, thereby causing reflected cross-site scripting. This issue affects Oveleon Cookie Bar, a tool for the Contao Open Source CMS that lets visitors set cookie and privacy preferences. **Recommendations** For versions prior to 1.16.3, update to version 1.16.3 or later. For versions prior to 2.1.3, update to version 2.1.3 or later. As a temporary workaround, consider disabling the `block/locale` endpoint until a patch is available. Restrict access to the `block/locale` endpoint to minimize the risk of exploitation. Sanitize the `locale` input to prevent XSS payloads from being executed in a user's browser.