FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-28191

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

Published: Apr 9, 2024 / Updated: 7mo ago

010
CVSS 3.1EPSS 0.05%Low
CVE info copied to clipboard

Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, it is possible to inject insert tags in frontend forms if the output is structured in a very specific way. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, do not output user data from frontend forms next to each other, always separate them by at least one character.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Timeline

Vendor Advisory

GitHub Advisories released a security advisory.

Apr 9, 2024 at 5:19 AM
First Article

Feedly found the first article mentioning CVE-2024-28191. See article

Apr 9, 2024 at 8:41 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Apr 9, 2024 at 8:41 AM
CVE Assignment

NVD published the first details for CVE-2024-28191

Apr 9, 2024 at 2:15 PM
CVSS

A CVSS base score of 3.1 has been assigned.

Apr 9, 2024 at 2:25 PM / nvd
EPSS

EPSS Score was set to: 0% (Percentile: 14%)

Apr 10, 2024 at 11:44 AM
EPSS

EPSS Score was set to: 0.05% (Percentile: 13.7%)

Apr 10, 2024 at 6:56 PM
Static CVE Timeline Graph

Affected Systems

Contao/contao
+null more

Patches

Github Advisory
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

Vendor Advisory

[GHSA-747v-52c4-8vj8] Contao: Unencoded insert tags in the frontend
GitHub Advisory Database / 7mo
Package Information It is possible to inject insert tags via the form generator if the submitted form data is output on the page in a specific way.

News

Multiple vulnerabilities in Contao
Security feed from CyberSecurity Help / 7mo
[GHSA-747v-52c4-8vj8] Contao: Unencoded insert tags in the frontend
GitHub Advisory Database / 7mo
Package Information It is possible to inject insert tags via the form generator if the submitted form data is output on the page in a specific way.
CVE-2024-28191 | Contao up to 4.13.39/5.3.3 Frontend Form injection (GHSA-747v-52c4-8vj8)
VulDB Recent Entries / 7mo
A vulnerability, which was classified as problematic , was found in Contao up to 4.13.39/5.3.3 . This affects an unknown part of the component Frontend Form Handler . The manipulation leads to injection. This vulnerability is uniquely identified as CVE-2024-28191 . It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.
CVE-2024-28191
National Vulnerability Database / 7mo
Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, it is possible to inject insert tags in frontend forms if the output is structured in a very specific way. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, do not output user data from frontend forms next to each other, always separate them by at least one character.
CVE-2024-28191
Vulners.com RSS Feed / 7mo
This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be...

CVSS V3.1

Attack Vector:Network
Attack Complexity:High
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:Low
Integrity:None
Availability Impact:None

Categories

CVSS 3.1(3245)CWE-74(1406)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial