Low severityNVD Advisory· Published Apr 9, 2024· Updated Aug 2, 2024
Contao may have unencoded insert tags in the frontend
CVE-2024-28191
Description
Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, it is possible to inject insert tags in frontend forms if the output is structured in a very specific way. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, do not output user data from frontend forms next to each other, always separate them by at least one character.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
contao/core-bundlePackagist | >= 4.0.0, < 4.13.40 | 4.13.40 |
contao/core-bundlePackagist | >= 5.0.0-RC1, < 5.3.4 | 5.3.4 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-747v-52c4-8vj8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-28191ghsaADVISORY
- contao.org/en/security-advisories/insert-tag-injection-via-the-form-generatorghsax_refsource_MISCWEB
- github.com/contao/contao/commit/388859dcf110ca70e0fae68a2a5579ab6a702919ghsax_refsource_MISCWEB
- github.com/contao/contao/commit/474a2fc25f1d84d786aba8c6d234af99e64d016bghsax_refsource_MISCWEB
- github.com/contao/contao/security/advisories/GHSA-747v-52c4-8vj8ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.