Authenticated users can inject malicious code in widgets with units, which is then executed both in the element preview (back end) and on the website (front end).
Update to Contao 4.9.42, 4.13.28 or 5.1.10.
Disable login for all untrusted back end users.
https://contao.org/en/security-advisories/cross-site-scripting-in-widgets-with-units
If you have any questions or comments about this advisory, open an issue in contao/contao.
Thanks to Christian Pöschl and Fabian Brenner from usd AG for reporting this vulnerability.
| Score | Percentile |
|---|---|
| 0.19% | 41.49% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 6.6 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-4gpr-p634-922x ↗ |
| CVE | CVE-2023-36806 ↗ |
| CWE id | Name |
|---|---|
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| composer | contao/core-bundle | >= 4.0.0, < 4.9.42 | 4.9.42 | — |
| composer | contao/core-bundle | >= 4.10.0, < 4.13.28 | 4.13.28 | — |
| composer | contao/core-bundle | >= 5.0.0, < 5.1.10 | 5.1.10 | — |