CVE-2024-28190 (GCVE-0-2024-28190)
Vulnerability from cvelistv5 – Published: 2024-04-09 13:48 – Updated: 2024-08-02 00:48
VLAI?
Summary
Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can inject malicious code in filenames when uploading files (back end and front end), which is then executed in tooltips and popups in the back end. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, remove upload fields from frontend forms and disable uploads for untrusted back end users.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28190",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-09T17:12:31.297580Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:03:30.421Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.506Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf"
},
{
"name": "https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce"
},
{
"name": "https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d"
},
{
"name": "https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "contao",
"vendor": "contao",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.13.40"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can inject malicious code in filenames when uploading files (back end and front end), which is then executed in tooltips and popups in the back end. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, remove upload fields from frontend forms and disable uploads for untrusted back end users."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-09T13:57:49.326Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf"
},
{
"name": "https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce"
},
{
"name": "https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d"
},
{
"name": "https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager",
"tags": [
"x_refsource_MISC"
],
"url": "https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager"
}
],
"source": {
"advisory": "GHSA-v24p-7p4j-qvvf",
"discovery": "UNKNOWN"
},
"title": "Contao core bundle vulnerable to cross site scripting in the file manager"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28190",
"datePublished": "2024-04-09T13:48:46.324Z",
"dateReserved": "2024-03-06T17:35:00.859Z",
"dateUpdated": "2024-08-02T00:48:49.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can inject malicious code in filenames when uploading files (back end and front end), which is then executed in tooltips and popups in the back end. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, remove upload fields from frontend forms and disable uploads for untrusted back end users.\"}, {\"lang\": \"es\", \"value\": \"Contao es un sistema de gesti\\u00f3n de contenidos de c\\u00f3digo abierto. A partir de la versi\\u00f3n 4.0.0 y antes de la versi\\u00f3n 4.13.40 y 5.3.4, los usuarios pueden inyectar c\\u00f3digo malicioso en los nombres de archivos al cargar archivos (back-end y front-end), que luego se ejecuta en informaci\\u00f3n sobre herramientas y ventanas emergentes en el back-end. Las versiones 4.13.40 y 5.3.4 de Contao tienen un parche para este problema. Como workaround, elimine los campos de carga de los formularios frontales y deshabilite las cargas para usuarios finales que no sean de confianza.\"}]",
"id": "CVE-2024-28190",
"lastModified": "2024-11-21T09:05:59.677",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 2.7}]}",
"published": "2024-04-09T14:15:08.503",
"references": "[{\"url\": \"https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Undergoing Analysis",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-28190\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-04-09T14:15:08.503\",\"lastModified\":\"2025-01-16T19:54:16.763\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can inject malicious code in filenames when uploading files (back end and front end), which is then executed in tooltips and popups in the back end. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, remove upload fields from frontend forms and disable uploads for untrusted back end users.\"},{\"lang\":\"es\",\"value\":\"Contao es un sistema de gesti\u00f3n de contenidos de c\u00f3digo abierto. A partir de la versi\u00f3n 4.0.0 y antes de la versi\u00f3n 4.13.40 y 5.3.4, los usuarios pueden inyectar c\u00f3digo malicioso en los nombres de archivos al cargar archivos (back-end y front-end), que luego se ejecuta en informaci\u00f3n sobre herramientas y ventanas emergentes en el back-end. Las versiones 4.13.40 y 5.3.4 de Contao tienen un parche para este problema. Como workaround, elimine los campos de carga de los formularios frontales y deshabilite las cargas para usuarios finales que no sean de confianza.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.13.40\",\"matchCriteriaId\":\"302B7F92-FC7F-4E43-BEE2-7D493B03CB0C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndExcluding\":\"5.3.4\",\"matchCriteriaId\":\"556D1F95-B80C-4819-BFC2-CF3EF735BBE6\"}]}]}],\"references\":[{\"url\":\"https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"Contao core bundle vulnerable to cross site scripting in the file manager\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-79\", \"lang\": \"en\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"scope\": \"CHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf\"}, {\"name\": \"https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce\"}, {\"name\": \"https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d\"}, {\"name\": \"https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager\"}], \"affected\": [{\"vendor\": \"contao\", \"product\": \"contao\", \"versions\": [{\"version\": \"\u003e= 4.0.0, \u003c 4.13.40\", \"status\": \"affected\"}, {\"version\": \"\u003e= 5.0.0, \u003c 5.3.4\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-04-09T13:57:49.326Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can inject malicious code in filenames when uploading files (back end and front end), which is then executed in tooltips and popups in the back end. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, remove upload fields from frontend forms and disable uploads for untrusted back end users.\"}], \"source\": {\"advisory\": \"GHSA-v24p-7p4j-qvvf\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-28190\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-04-09T17:12:31.297580Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T17:24:03.155Z\"}, \"title\": \"CISA ADP Vulnrichment\"}]}",
"cveMetadata": "{\"cveId\": \"CVE-2024-28190\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-03-06T17:35:00.859Z\", \"datePublished\": \"2024-04-09T13:48:46.324Z\", \"dateUpdated\": \"2024-06-04T18:03:30.421Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…