CVE-2024-28191

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-28191
Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, it is possible to inject insert tags in frontend forms if the output is structured in a very specific way. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, do not output user data from frontend forms next to each other, always separate them by at least one character.

3.1 /10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://contao.org/en/security-advisories/insert-tag-injection-via-the-form-generator
https://github.com/contao/contao/commit/388859dcf110ca70e0fae68a2a5579ab6a702919
https://github.com/contao/contao/commit/474a2fc25f1d84d786aba8c6d234af99e64d016b
https://github.com/contao/contao/security/advisories/GHSA-747v-52c4-8vj8
https://contao.org/en/security-advisories/insert-tag-injection-via-the-form-generator
https://github.com/contao/contao/commit/388859dcf110ca70e0fae68a2a5579ab6a702919
https://github.com/contao/contao/commit/474a2fc25f1d84d786aba8c6d234af99e64d016b
https://github.com/contao/contao/security/advisories/GHSA-747v-52c4-8vj8
Configurations

No configuration.

History

21 Nov 2024, 09:05

Type Values Removed Values Added
Summary
  • (es) Contao es un sistema de gestión de contenidos de código abierto. A partir de la versión 4.0.0 y antes de la versión 4.13.40 y 5.3.4, es posible inyectar etiquetas de inserción en formularios de interfaz si la salida está estructurada de una manera muy específica. Las versiones 4.13.40 y 5.3.4 de Contao tienen un parche para este problema. Como workaround, no genere datos de usuario desde formularios de interfaz uno al lado del otro, sepárelos siempre con al menos un carácter.
References () https://contao.org/en/security-advisories/insert-tag-injection-via-the-form-generator - () https://contao.org/en/security-advisories/insert-tag-injection-via-the-form-generator -
References () https://github.com/contao/contao/commit/388859dcf110ca70e0fae68a2a5579ab6a702919 - () https://github.com/contao/contao/commit/388859dcf110ca70e0fae68a2a5579ab6a702919 -
References () https://github.com/contao/contao/commit/474a2fc25f1d84d786aba8c6d234af99e64d016b - () https://github.com/contao/contao/commit/474a2fc25f1d84d786aba8c6d234af99e64d016b -
References () https://github.com/contao/contao/security/advisories/GHSA-747v-52c4-8vj8 - () https://github.com/contao/contao/security/advisories/GHSA-747v-52c4-8vj8 -

09 Apr 2024, 14:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-04-09 14:15

Updated : 2024-11-21 09:05

NVD link : CVE-2024-28191

Mitre link : CVE-2024-28191

CVE.ORG link : CVE-2024-28191

JSON object : View

Products Affected

No product.

CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024