GHSA-4gpr-p634-922x

Suggest an improvement
Source
https://github.com/advisories/GHSA-4gpr-p634-922x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-4gpr-p634-922x/GHSA-4gpr-p634-922x.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4gpr-p634-922x
Aliases
Published
2023-07-25T17:19:10Z
Modified
2024-02-21T05:32:40.652782Z
Severity
  • 6.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
Summary
Cross site scripting via input unit widget
Details

Impact

Authenticated users can inject malicious code in widgets with units, which is then executed both in the element preview (back end) and on the website (front end).

Patches

Update to Contao 4.9.42, 4.13.28 or 5.1.10.

Workarounds

Disable login for all untrusted back end users.

References

https://contao.org/en/security-advisories/cross-site-scripting-in-widgets-with-units

For more information

If you have any questions or comments about this advisory, open an issue in contao/contao.

Credits

Thanks to Christian Pöschl and Fabian Brenner from usd AG for reporting this vulnerability.

Database specific 
{
    "nvd_published_at": "2023-07-25T19:15:11Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-25T17:19:10Z"
}
References

Affected packages

Packagist / contao/core-bundle

Package

Name
contao/core-bundle
Purl
pkg:composer/contao/core-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.9.42

Affected versions

4.*

4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.1.0-beta1
4.1.0-RC1
4.1.0
4.1.1
4.1.2
4.1.3
4.2.0-beta1
4.2.0-RC1
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.3.0-RC1
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
4.3.6
4.3.7
4.3.8
4.3.9
4.3.10
4.3.11
4.4.0-beta1
4.4.0-RC1
4.4.0-RC2
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.7
4.4.8
4.4.9
4.4.10
4.4.11
4.4.12
4.4.13
4.4.14
4.4.15
4.4.16
4.4.17
4.4.18
4.4.19
4.4.20
4.4.21
4.4.22
4.4.23
4.4.24
4.4.25
4.4.26
4.4.27
4.4.28
4.4.29
4.4.30
4.4.31
4.4.32
4.4.33
4.4.34
4.4.35
4.4.36
4.4.37
4.4.38
4.4.39
4.4.40
4.4.41
4.4.42
4.4.43
4.4.44
4.4.45
4.4.46
4.4.47
4.4.48
4.4.49
4.4.50
4.4.51
4.4.52
4.4.53
4.4.54
4.4.55
4.4.56
4.4.57
4.5.0-beta1
4.5.0-beta2
4.5.0-beta3
4.5.0-RC1
4.5.0-RC2
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
4.5.6
4.5.7
4.5.8
4.5.9
4.5.10
4.5.11
4.5.12
4.5.13
4.5.14
4.6.0-RC1
4.6.0-RC2
4.6.0-RC3
4.6.0
4.6.1
4.6.2
4.6.3
4.6.4
4.6.5
4.6.6
4.6.7
4.6.8
4.6.9
4.6.10
4.6.11
4.6.12
4.6.13
4.6.14
4.7.0-RC1
4.7.0-RC2
4.7.0-RC3
4.7.0-RC4
4.7.0
4.7.1
4.7.2
4.7.3
4.7.4
4.7.5
4.7.6
4.7.7
4.8.0-RC1
4.8.0-RC2
4.8.0
4.8.1
4.8.2
4.8.3
4.8.4
4.8.5
4.8.6
4.8.7
4.8.8
4.9.0-RC1
4.9.0-RC2
4.9.0
4.9.1
4.9.2
4.9.3
4.9.4
4.9.5
4.9.6
4.9.7
4.9.8
4.9.9
4.9.10
4.9.11
4.9.12
4.9.13
4.9.14
4.9.15
4.9.16
4.9.17
4.9.18
4.9.19
4.9.20
4.9.21
4.9.22
4.9.23
4.9.24
4.9.25
4.9.26
4.9.27
4.9.28
4.9.29
4.9.30
4.9.31
4.9.32
4.9.33
4.9.34
4.9.35
4.9.36
4.9.37
4.9.38
4.9.39
4.9.40
4.9.41

Packagist / contao/core-bundle

Package

Name
contao/core-bundle
Purl
pkg:composer/contao/core-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.10.0
Fixed
4.13.28

Affected versions

4.*

4.10.0
4.10.1
4.10.2
4.10.3
4.10.4
4.10.5
4.10.6
4.10.7
4.11.0-RC1
4.11.0-RC2
4.11.0
4.11.1
4.11.2
4.11.3
4.11.4
4.11.5
4.11.6
4.11.7
4.11.8
4.11.9
4.12.0-RC1
4.12.0-RC2
4.12.0-RC3
4.12.0
4.12.1
4.12.2
4.12.3
4.12.4
4.12.5
4.12.6
4.12.7
4.13.0-RC1
4.13.0-RC2
4.13.0-RC3
4.13.0
4.13.1
4.13.2
4.13.3
4.13.4
4.13.5
4.13.6
4.13.7
4.13.8
4.13.9
4.13.10
4.13.11
4.13.12
4.13.13
4.13.14
4.13.15
4.13.16
4.13.17
4.13.18
4.13.19
4.13.20
4.13.21
4.13.22
4.13.23
4.13.24
4.13.25
4.13.26
4.13.27

Packagist / contao/core-bundle

Package

Name
contao/core-bundle
Purl
pkg:composer/contao/core-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.1.10

Affected versions

5.*

5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.1.0-RC1
5.1.0-RC2
5.1.0-RC3
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9