Описание
Contao: Cross site scripting in the file manager
Impact
Users can insert malicious code into file names when uploading files, which is then executed in tooltips and popups in the backend.
Patches
Update to Contao 4.13.40 or Contao 5.3.4.
Workarounds
Disable uploads for untrusted users.
References
https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
Credits
Thanks to Alexander Wuttke for reporting this vulnerability.
Ссылки
- https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf
- https://nvd.nist.gov/vuln/detail/CVE-2024-28190
- https://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce
- https://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d
- https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager
Пакеты
contao/core-bundle
>= 4.0.0, < 4.13.40
4.13.40
contao/core-bundle
>= 5.0.0-RC1, < 5.3.4
5.3.4
Связанные уязвимости
Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can inject malicious code in filenames when uploading files (back end and front end), which is then executed in tooltips and popups in the back end. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, remove upload fields from frontend forms and disable uploads for untrusted back end users.