CVE-2023-36806

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-36806

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-36806.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-36806

Aliases

GHSA-4gpr-p634-922x

Published

2023-07-25T18:47:34Z

Modified

2025-11-04T20:14:00.732325Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L CVSS Calculator

Summary

Contao cross site scripting vulnerability via input unit widget

Details

Contao is an open source content management system. Starting in version 4.0.0 and prior to versions 4.9.42, 4.13.28, and 5.1.10, it is possible for untrusted backend users to inject malicious code into headline fields in the back end, which will be executed both in the element preview (back end) and on the website (front end). Installations are only affected if there are untrusted back end users who have the rights to modify headline fields, or other fields using the input unit widget. Contao 4.9.42, 4.13.28, and 5.1.10 have a patch for this issue. As a workaround, disable the login for all untrusted back end users.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Git / github.com/contao/contao

Affected ranges

Type

GIT

Repo

https://github.com/contao/contao

Events

Introduced

84b2fe637d5ead531f117f26b48d1b9de8df4074

Fixed

7749eeb064a66aebdea0bc456b585a79a3d4c2c8

Database specific

{
    "versions": [
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.9.42"
        }
    ]
}

Type

GIT

Repo

https://github.com/contao/contao

Events

Introduced

5a25b1d689ffde95a00427bdfde03695a2c645c3

Fixed

7d39bb2f820e3f374016cea5dfbcf38bf54e8b92

Database specific

{
    "versions": [
        {
            "introduced": "4.10.0"
        },
        {
            "fixed": "4.13.28"
        }
    ]
}

Type

GIT

Repo

https://github.com/contao/contao

Events

Introduced

8cb541c59cb07ecb62fc5c5685c6448f38b97ad8

Fixed

e4a85c748e567368ab9fa8cfeedaa56b6c12263a

Database specific

{
    "versions": [
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.1.10"
        }
    ]
}

Affected versions

4.*

4.10.0

4.10.1

4.10.2

4.10.3

4.10.4

4.10.5

4.10.6

4.10.7

4.11.0

4.11.0-RC1

4.11.0-RC2

4.11.1

4.11.2

4.11.3

4.11.4

4.11.5

4.11.6

4.11.7

4.11.8

4.11.9

4.12.0

4.12.0-RC1

4.12.0-RC2

4.12.0-RC3

4.12.1

4.12.2

4.12.3

4.12.4

4.12.5

4.12.6

4.12.7

4.13.0

4.13.0-RC1

4.13.0-RC2

4.13.0-RC3

4.13.1

4.13.10

4.13.11

4.13.12

4.13.13

4.13.14

4.13.15

4.13.16

4.13.17

4.13.18

4.13.19

4.13.2

4.13.20

4.13.21

4.13.22

4.13.23

4.13.24

4.13.25

4.13.26

4.13.27

4.13.3

4.13.4

4.13.5

4.13.6

4.13.7

4.13.8

4.13.9

4.4.52

4.4.53

4.4.54

4.4.55

4.9.10

4.9.11

4.9.12

4.9.13

4.9.14

4.9.15

4.9.16

4.9.17

4.9.18

4.9.19

4.9.20

4.9.21

4.9.22

4.9.23

4.9.24

4.9.25

4.9.26

4.9.27

4.9.28

4.9.29

4.9.30

4.9.31

4.9.32

4.9.33

4.9.34

4.9.35

4.9.36

4.9.37

4.9.38

4.9.39

4.9.40

4.9.41

4.9.6

4.9.7

4.9.8

4.9.9

5.*

5.0.0

5.0.1

5.0.10

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.1.0

5.1.0-RC1

5.1.0-RC2

5.1.0-RC3

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.1.7

5.1.8

5.1.9