CVE-2024-28190
MEDIUM5.4EPSS 0.99%Contao: Cross site scripting in the file manager
Published: 4/9/2024Modified: 4/17/2025
Also known as:GHSA-v24p-7p4j-qvvf
Description
### Impact Users can insert malicious code into file names when uploading files, which is then executed in tooltips and popups in the backend. ### Patches Update to Contao 4.13.40 or Contao 5.3.4. ### Workarounds Disable uploads for untrusted users. ### References https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose). ### Credits Thanks to Alexander Wuttke for reporting this vulnerability.
Affected packages (1)
- Packagist/contao/core-bundle>= 4.0.0, < 4.13.40
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-28190
- PATCHhttps://github.com/contao/contao
- WEBhttps://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager
- WEBhttps://github.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce
- WEBhttps://github.com/contao/contao/commit/b794e14fff070101bf6a885da9b1a83395093b4d
- WEBhttps://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf