VYPR
Low severityNVD Advisory· Published Apr 9, 2024· Updated Aug 2, 2024

Contao may have unencoded insert tags in the frontend

CVE-2024-28191

Description

Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, it is possible to inject insert tags in frontend forms if the output is structured in a very specific way. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, do not output user data from frontend forms next to each other, always separate them by at least one character.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
contao/core-bundlePackagist
>= 4.0.0, < 4.13.404.13.40
contao/core-bundlePackagist
>= 5.0.0-RC1, < 5.3.45.3.4

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.