CVE-2024-28190

Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can inject malicious code in filenames when uploading files (back end and front end), which is then executed in tooltips and popups in the back end. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, remove upload fields from frontend forms and disable uploads for untrusted back end users.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager	Vendor Advisory
https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce	Patch
https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d	Patch
https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf	Vendor Advisory
https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager	Vendor Advisory
https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce	Patch
https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d	Patch
https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:contao:contao::::::::
	cpe:2.3:a:contao:contao::::::::

History

16 Jan 2025, 19:54

Type	Values Removed	Values Added
References	~~() https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager -~~	() https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager - Vendor Advisory
References	~~() https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce -~~	() https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce - Patch
References	~~() https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d -~~	() https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d - Patch
References	~~() https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf -~~	() https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf - Vendor Advisory
First Time		Contao Contao contao
CPE		cpe:2.3:a:contao:contao::::::::

Information

Published : 2024-04-09 14:15

Updated : 2025-01-16 19:54

NVD link : CVE-2024-28190

Mitre link : CVE-2024-28190

CVE.ORG link : CVE-2024-28190

JSON object : View

Products Affected

contao

contao

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10