PT-2024-22349 · Contao · Contao
Leofeyer
+1
·
Published
2024-04-09
·
Updated
2025-01-02
·
CVE-2024-28234
CVSS v3.1
4.7
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Contao versions 2.0.0 through 4.13.39
Contao versions 5.0.0 through 5.3.3
Description
The issue allows injection of CSS styles via BBCode in comments. Installations are only affected if BBCode is enabled for comments.
Recommendations
For Contao versions 2.0.0 through 4.13.39, update to Contao 4.13.40.
For Contao versions 5.0.0 through 5.3.3, update to Contao 5.3.4.
As a temporary workaround for all affected versions, consider disabling BBCode for comments to minimize the risk of exploitation.
Exploit
Fix
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Contao