Moderate severityNVD Advisory· Published Aug 12, 2021· Updated Aug 4, 2024
CVE-2021-35955
CVE-2021-35955
Description
Contao >=4.0.0 allows backend XSS via HTML attributes to an HTML field. Fixed in 4.4.56, 4.9.18, 4.11.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
contao/core-bundlePackagist | >= 4.0.0, < 4.4.56 | 4.4.56 |
contao/contaoPackagist | >= 4.0.0, < 4.4.56 | 4.4.56 |
contao/contaoPackagist | >= 4.5.0, < 4.9.18 | 4.9.18 |
contao/contaoPackagist | >= 4.10.0, < 4.11.7 | 4.11.7 |
contao/core-bundlePackagist | >= 4.5.0, < 4.9.18 | 4.9.18 |
contao/core-bundlePackagist | >= 4.10.0, < 4.11.7 | 4.11.7 |
Affected products
3- Contao/Contaodescription
- ghsa-coords2 versions
>= 4.0.0, < 4.4.56+ 1 more
- (no CPE)range: >= 4.0.0, < 4.4.56
- (no CPE)range: >= 4.0.0, < 4.4.56
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-hr3h-x6gq-rqcpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-35955ghsaADVISORY
- contao.org/en/news/contao-4-9-16-and-4-11-5-are-available.htmlghsax_refsource_MISCWEB
- contao.org/en/security-advisories/cross-site-scripting-via-html-attributes-in-the-back-end.htmlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2021-35955.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2021-35955.yamlghsaWEB
- github.com/contao/contao/security/advisories/GHSA-hr3h-x6gq-rqcpghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.