CVE-2024-28235

Name of the Vulnerable Software and Affected Versions Contao versions 4.9.0 through 4.13.39 Contao versions 5.0.0 through 5.3.3

Description The issue arises when checking for broken links on protected pages, causing Contao to send the cookie header to external URLs. The passed options for the HTTP client are used for all requests.

Recommendations For Contao versions 4.9.0 through 4.13.39, update to Contao 4.13.40. For Contao versions 5.0.0 through 5.3.3, update to Contao 5.3.4. As a temporary workaround for all affected versions, consider disabling crawling protected pages to minimize the risk of exploitation.