CVE-2023-36806
MEDIUM6.6EPSS 0.38%Cross site scripting via input unit widget
Published: 7/25/2023Modified: 4/17/2025
Also known as:GHSA-4gpr-p634-922x
Description
### Impact Authenticated users can inject malicious code in widgets with units, which is then executed both in the element preview (back end) and on the website (front end). ### Patches Update to Contao 4.9.42, 4.13.28 or 5.1.10. ### Workarounds Disable login for all untrusted back end users. ### References https://contao.org/en/security-advisories/cross-site-scripting-in-widgets-with-units ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose). ### Credits Thanks to Christian Pöschl and Fabian Brenner from usd AG for reporting this vulnerability.
Affected packages (1)
- Packagist/contao/core-bundle>= 4.0.0, < 4.9.42
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.6 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-36806
- PATCHhttps://github.com/contao/contao
- WEBhttps://github.com/contao/contao/commit/5c9aff32cfc1f7dc452a045862ac2f86a6b9b4b4
- WEBhttps://github.com/contao/contao/commit/c98585d36baa25fda69c062421e7e7eadc53c82b
- WEBhttps://github.com/contao/contao/commit/ccb64c777eb0f9c0e6490c9135d80e915d37cd32
- WEBhttps://github.com/contao/contao/security/advisories/GHSA-4gpr-p634-922x
- WEBhttps://herolab.usd.de/security-advisories/usd-2023-0020