GHSA-vqqr-fgmh-f626

Опубликовано: 18 мар. 2025

Источник: github

Github: Прошло ревью

CVSS4: 4.8

Описание

Contao Vulnerable to Cross-Site Scripting (XSS) through SVG uploads

Impact

Users can upload SVG files with malicious code, which is then executed in the back end and/or front end.

Patches

Update to Contao 4.13.54, 5.3.30 or 5.5.6.

Workarounds

Remove svg,svgz from the allowed upload file types in the system settings and from contao.editable_files in the config.yaml.

References

https://contao.org/en/security-advisories/cross-site-scripting-through-svg-uploads

For more information

If you have any questions or comments about this advisory, open an issue in contao/contao.

Ссылки

Пакеты

Наименование

contao/core-bundle

composer

Затронутые версииВерсия исправления

>= 4.0.0, < 4.13.54

4.13.54

Наименование

contao/core-bundle

composer

Затронутые версииВерсия исправления

>= 5.3.0, < 5.3.30

5.3.30

Наименование

contao/core-bundle

composer

Затронутые версииВерсия исправления

>= 5.4.0, < 5.5.6

5.5.6

EPSS

Процентиль: 34%

0.00135

Низкий

4.8 Medium

CVSS4

CVE ID

CVE-2025-29790

Дефекты

CWE-79

Связанные уязвимости

CVE-2025-29790

CVSS3: 5.4

nvd

11 месяцев назад

Contao is an Open Source CMS. Users can upload SVG files with malicious code, which is then executed in the back end and/or front end. This vulnerability is fixed in Contao 4.13.54, 5.3.30, or 5.5.6.

EPSS

Процентиль: 34%

0.00135

Низкий

4.8 Medium

CVSS4

CVE ID

CVE-2025-29790

Дефекты

CWE-79