QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2024-28191

Back to search

CVE-2024-28191

Published: Apr 9, 2024

Modified: Aug 2, 2024

PUBLISHED

CVSS v3.1

3.1

LOW

Description

Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, it is possible to inject insert tags in frontend forms if the output is structured in a very specific way. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, do not output user data from frontend forms next to each other, always separate them by at least one character.

VendorProductVersions

contao

contao

affected
>= 4.0.0, < 4.13.40
affected
>= 5.0.0, < 5.3.4

Weaknesses (CWE)

CWE-74

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now