CVE-2024-28190 - OpenCVE

Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can inject malicious code in filenames when uploading files (back end and front end), which is then executed in tooltips and popups in the back end. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, remove upload fields from frontend forms and disable uploads for untrusted back end users.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager
https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce
https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d
https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-09T13:48:46.324Z

Updated: 2024-08-02T00:48:49.506Z

Reserved: 2024-03-06T17:35:00.859Z

Link: CVE-2024-28190

Vulnrichment

Updated: 2024-05-23T17:24:03.155Z

NVD

Status : Awaiting Analysis

Published: 2024-04-09T14:15:08.503

Modified: 2024-04-10T13:24:22.187

Link: CVE-2024-28190

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28190", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-06T17:35:00.859Z", "datePublished": "2024-04-09T13:48:46.324Z", "dateUpdated": "2024-08-02T00:48:49.506Z"}, "containers": {"cna": {"title": "Contao core bundle vulnerable to cross site scripting in the file manager", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf"}, {"name": "https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce", "tags": ["x_refsource_MISC"], "url": "https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce"}, {"name": "https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d", "tags": ["x_refsource_MISC"], "url": "https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d"}, {"name": "https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager", "tags": ["x_refsource_MISC"], "url": "https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager"}], "affected": [{"vendor": "contao", "product": "contao", "versions": [{"version": ">= 4.0.0, < 4.13.40", "status": "affected"}, {"version": ">= 5.0.0, < 5.3.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-09T13:57:49.326Z"}, "descriptions": [{"lang": "en", "value": "Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can inject malicious code in filenames when uploading files (back end and front end), which is then executed in tooltips and popups in the back end. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, remove upload fields from frontend forms and disable uploads for untrusted back end users."}], "source": {"advisory": "GHSA-v24p-7p4j-qvvf", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28190", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-09T17:12:31.297580Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T18:03:30.421Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:49.506Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf"}, {"name": "https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce"}, {"name": "https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d"}, {"name": "https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager"}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28190", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-06T17:35:00.859Z", "datePublished": "2024-04-09T13:48:46.324Z", "dateUpdated": "2024-06-04T18:03:30.421Z"}, "containers": {"cna": {"title": "Contao core bundle vulnerable to cross site scripting in the file manager", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf"}, {"name": "https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce", "tags": ["x_refsource_MISC"], "url": "https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce"}, {"name": "https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d", "tags": ["x_refsource_MISC"], "url": "https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d"}, {"name": "https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager", "tags": ["x_refsource_MISC"], "url": "https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager"}], "affected": [{"vendor": "contao", "product": "contao", "versions": [{"version": ">= 4.0.0, < 4.13.40", "status": "affected"}, {"version": ">= 5.0.0, < 5.3.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-09T13:57:49.326Z"}, "descriptions": [{"lang": "en", "value": "Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can inject malicious code in filenames when uploading files (back end and front end), which is then executed in tooltips and popups in the back end. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, remove upload fields from frontend forms and disable uploads for untrusted back end users."}], "source": {"advisory": "GHSA-v24p-7p4j-qvvf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28190", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-09T17:12:31.297580Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T17:24:03.155Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can inject malicious code in filenames when uploading files (back end and front end), which is then executed in tooltips and popups in the back end. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, remove upload fields from frontend forms and disable uploads for untrusted back end users."}, {"lang": "es", "value": "Contao es un sistema de gesti\u00f3n de contenidos de c\u00f3digo abierto. A partir de la versi\u00f3n 4.0.0 y antes de la versi\u00f3n 4.13.40 y 5.3.4, los usuarios pueden inyectar c\u00f3digo malicioso en los nombres de archivos al cargar archivos (back-end y front-end), que luego se ejecuta en informaci\u00f3n sobre herramientas y ventanas emergentes en el back-end. Las versiones 4.13.40 y 5.3.4 de Contao tienen un parche para este problema. Como workaround, elimine los campos de carga de los formularios frontales y deshabilite las cargas para usuarios finales que no sean de confianza."}], "id": "CVE-2024-28190", "lastModified": "2024-04-10T13:24:22.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-04-09T14:15:08.503", "references": [{"source": "security-advisories@github.com", "url": "https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager"}, {"source": "security-advisories@github.com", "url": "https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce"}, {"source": "security-advisories@github.com", "url": "https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d"}, {"source": "security-advisories@github.com", "url": "https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}