CVE-2024-28190 - Vulnerability Details - OpenCVE

Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can inject malicious code in filenames when uploading files (back end and front end), which is then executed in tooltips and popups in the back end. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, remove upload fields from frontend forms and disable uploads for untrusted back end users.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01402.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Contao	Contao

Configuration 1 [-]

OR	cpe:2.3:a:contao:contao::::::::
	cpe:2.3:a:contao:contao::::::::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-1304	Contao: Cross site scripting in the file manager
Github GHSA	GHSA-v24p-7p4j-qvvf	Contao: Cross site scripting in the file manager

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager
https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce
https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d
https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf

History

Thu, 16 Jan 2025 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Contao Contao contao
CPEs		cpe:2.3:a:contao:contao::::::::
Vendors & Products		Contao Contao contao

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-09T13:48:46.324Z

Updated: 2024-08-02T00:48:49.506Z

Reserved: 2024-03-06T17:35:00.859Z

Link: CVE-2024-28190

Vulnrichment

Updated: 2024-05-23T17:24:03.155Z

NVD

Status : Analyzed

Published: 2024-04-09T14:15:08.503

Modified: 2025-01-16T19:54:16.763

Link: CVE-2024-28190

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28190", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-06T17:35:00.859Z", "datePublished": "2024-04-09T13:48:46.324Z", "dateUpdated": "2024-08-02T00:48:49.506Z"}, "containers": {"cna": {"title": "Contao core bundle vulnerable to cross site scripting in the file manager", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf"}, {"name": "https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce", "tags": ["x_refsource_MISC"], "url": "https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce"}, {"name": "https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d", "tags": ["x_refsource_MISC"], "url": "https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d"}, {"name": "https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager", "tags": ["x_refsource_MISC"], "url": "https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager"}], "affected": [{"vendor": "contao", "product": "contao", "versions": [{"version": ">= 4.0.0, < 4.13.40", "status": "affected"}, {"version": ">= 5.0.0, < 5.3.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-09T13:57:49.326Z"}, "descriptions": [{"lang": "en", "value": "Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can inject malicious code in filenames when uploading files (back end and front end), which is then executed in tooltips and popups in the back end. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, remove upload fields from frontend forms and disable uploads for untrusted back end users."}], "source": {"advisory": "GHSA-v24p-7p4j-qvvf", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28190", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-09T17:12:31.297580Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T18:03:30.421Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:49.506Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf"}, {"name": "https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce"}, {"name": "https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d"}, {"name": "https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager"}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28190", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-06T17:35:00.859Z", "datePublished": "2024-04-09T13:48:46.324Z", "dateUpdated": "2024-06-04T18:03:30.421Z"}, "containers": {"cna": {"title": "Contao core bundle vulnerable to cross site scripting in the file manager", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf"}, {"name": "https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce", "tags": ["x_refsource_MISC"], "url": "https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce"}, {"name": "https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d", "tags": ["x_refsource_MISC"], "url": "https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d"}, {"name": "https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager", "tags": ["x_refsource_MISC"], "url": "https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager"}], "affected": [{"vendor": "contao", "product": "contao", "versions": [{"version": ">= 4.0.0, < 4.13.40", "status": "affected"}, {"version": ">= 5.0.0, < 5.3.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-09T13:57:49.326Z"}, "descriptions": [{"lang": "en", "value": "Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can inject malicious code in filenames when uploading files (back end and front end), which is then executed in tooltips and popups in the back end. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, remove upload fields from frontend forms and disable uploads for untrusted back end users."}], "source": {"advisory": "GHSA-v24p-7p4j-qvvf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28190", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-09T17:12:31.297580Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T17:24:03.155Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*", "matchCriteriaId": "302B7F92-FC7F-4E43-BEE2-7D493B03CB0C", "versionEndExcluding": "4.13.40", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*", "matchCriteriaId": "556D1F95-B80C-4819-BFC2-CF3EF735BBE6", "versionEndExcluding": "5.3.4", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can inject malicious code in filenames when uploading files (back end and front end), which is then executed in tooltips and popups in the back end. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, remove upload fields from frontend forms and disable uploads for untrusted back end users."}, {"lang": "es", "value": "Contao es un sistema de gesti\u00f3n de contenidos de c\u00f3digo abierto. A partir de la versi\u00f3n 4.0.0 y antes de la versi\u00f3n 4.13.40 y 5.3.4, los usuarios pueden inyectar c\u00f3digo malicioso en los nombres de archivos al cargar archivos (back-end y front-end), que luego se ejecuta en informaci\u00f3n sobre herramientas y ventanas emergentes en el back-end. Las versiones 4.13.40 y 5.3.4 de Contao tienen un parche para este problema. Como workaround, elimine los campos de carga de los formularios frontales y deshabilite las cargas para usuarios finales que no sean de confianza."}], "id": "CVE-2024-28190", "lastModified": "2025-01-16T19:54:16.763", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-04-09T14:15:08.503", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}