PT-2024-22325 · Contao · Contao
Lowleofeyer
·
Published
2024-04-09
·
Updated
2025-01-17
·
CVE-2024-28191
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Contao versions 4.0.0 through 4.13.39
Contao versions 5.0.0 through 5.3.3
Description
The issue allows inject tags in frontend forms if the output is structured in a very specific way. It is possible to inject insert tags via the form generator if the submitted form data is output on the page in a specific way.
Recommendations
For Contao versions 4.0.0 through 4.13.39, update to Contao 4.13.40.
For Contao versions 5.0.0 through 5.3.3, update to Contao 5.3.4.
As a temporary workaround, do not output user data from frontend forms next to each other, always separate them by at least one character.
Do not output the submitted form data on the website.
Exploit
Fix
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Contao