Headline
GHSA-v24p-7p4j-qvvf: Contao: Cross site scripting in the file manager
Impact
Users can insert malicious code into file names when uploading files, which is then executed in tooltips and popups in the backend.
Patches
Update to Contao 4.13.40 or Contao 5.3.4.
Workarounds
Disable uploads for untrusted users.
References
https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
Credits
Thanks to Alexander Wuttke for reporting this vulnerability.
Package
composer contao/core-bundle (Composer)
Affected versions
>= 4.0.0, < 4.13.40
>= 5.0.0-RC1, < 5.3.4
Patched versions
4.13.40
5.3.4
Description
Impact
Users can insert malicious code into file names when uploading files, which is then executed in tooltips and popups in the backend.
Patches
Update to Contao 4.13.40 or Contao 5.3.4.
Workarounds
Disable uploads for untrusted users.
References
https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
Credits
Thanks to Alexander Wuttke for reporting this vulnerability.
References
- GHSA-v24p-7p4j-qvvf
- https://nvd.nist.gov/vuln/detail/CVE-2024-28190
- contao/contao@878d28d
- contao/contao@b794e14
- https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager
leofeyer published to contao/contao
Apr 9, 2024
Published by the National Vulnerability Database
Apr 9, 2024
Published to the GitHub Advisory Database
Apr 9, 2024
Reviewed
Apr 9, 2024
Last updated
Apr 9, 2024