GHSA-9jh5-qf84-x6pr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9jh5-qf84-x6pr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-9jh5-qf84-x6pr/GHSA-9jh5-qf84-x6pr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9jh5-qf84-x6pr
- Aliases
- Published
- 2024-04-09T15:50:59Z
- Modified
- 2024-04-10T18:58:57.060542Z
- Severity
-
- 8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Contao: Possible cookie sharing with external domains while checking protected pages for broken links
- Details
-
Impact
If the crawler is set to crawl protected pages, it sends the cookie header to externals URLs.
Patches
Update to Contao 4.13.40 or 5.3.4.
Workarounds
Disable crawling protected pages.
References
https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
- Database specific
{ "nvd_published_at": "2024-04-09T16:15:07Z", "cwe_ids": [ "CWE-200" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-04-09T15:50:59Z" }- References
-
- https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr
- https://nvd.nist.gov/vuln/detail/CVE-2024-28235
- https://github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16
- https://github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d
- https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler
- https://github.com/contao/contao
- https://github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php#L129
Affected packages
Packagist / contao/core-bundle
Package
- Name
- contao/core-bundle
- Purl
- pkg:composer/contao/core-bundle
Affected versions
4.*
4.9.0
4.9.1
4.9.2
4.9.3
4.9.4
4.9.5
4.9.6
4.9.7
4.9.8
4.9.9
4.9.10
4.9.11
4.9.12
4.9.13
4.9.14
4.9.15
4.9.16
4.9.17
4.9.18
4.9.19
4.9.20
4.9.21
4.9.22
4.9.23
4.9.24
4.9.25
4.9.26
4.9.27
4.9.28
4.9.29
4.9.30
4.9.31
4.9.32
4.9.33
4.9.34
4.9.35
4.9.36
4.9.37
4.9.38
4.9.39
4.9.40
4.9.41
4.9.42
4.10.0-RC1
4.10.0-RC2
4.10.0-RC3
4.10.0-RC4
4.10.0
4.10.1
4.10.2
4.10.3
4.10.4
4.10.5
4.10.6
4.10.7
4.11.0-RC1
4.11.0-RC2
4.11.0
4.11.1
4.11.2
4.11.3
4.11.4
4.11.5
4.11.6
4.11.7
4.11.8
4.11.9
4.12.0-RC1
4.12.0-RC2
4.12.0-RC3
4.12.0
4.12.1
4.12.2
4.12.3
4.12.4
4.12.5
4.12.6
4.12.7
4.13.0-RC1
4.13.0-RC2
4.13.0-RC3
4.13.0
4.13.1
4.13.2
4.13.3
4.13.4
4.13.5
4.13.6
4.13.7
4.13.8
4.13.9
4.13.10
4.13.11
4.13.12
4.13.13
4.13.14
4.13.15
4.13.16
4.13.17
4.13.18
4.13.19
4.13.20
4.13.21
4.13.22
4.13.23
4.13.24
4.13.25
4.13.26
4.13.27
4.13.28
4.13.29
4.13.30
4.13.31
4.13.32
4.13.33
4.13.34
4.13.35
4.13.36
4.13.37
4.13.38
4.13.39
Packagist / contao/core-bundle
Package
- Name
- contao/core-bundle
- Purl
- pkg:composer/contao/core-bundle
Affected versions
5.*
5.0.0-RC1
5.0.0-RC2
5.0.0-RC3
5.0.0-RC4
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.1.0-RC1
5.1.0-RC2
5.1.0-RC3
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.1.11
5.2.0-RC1
5.2.0-RC2
5.2.0-RC3
5.2.0-RC4
5.2.0-RC5
5.2.0-RC6
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.2.10
5.3.0-RC1
5.3.0-RC2
5.3.0-RC3
5.3.0-RC4
5.3.0
5.3.1
5.3.2
5.3.3