PT-2023-11227 · Contao · Contao

Published

2023-09-20

Updated

2023-09-23

CVE-2018-5478

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Contao versions 3.x through 3.5.31

Description The issue allows Cross-site Scripting (XSS) via the unsubscribe module in the frontend newsletter extension. This can be exploited to execute malicious scripts in the context of the affected application.

Recommendations For Contao versions 3.x through 3.5.31, update to version 3.5.32 or later to resolve the issue. As a temporary workaround, consider disabling the unsubscribe module in the frontend newsletter extension until a patch is available. Restrict access to the frontend newsletter extension to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2018-5478

GHSA-MPG7-2RX9-H5QP

Affected Products

Contao

PT-2023-11227 · Contao · Contao

CVE-2018-5478

Weakness Enumeration

Related Identifiers

Affected Products

References · 13