GHSA-hr3h-x6gq-rqcp

Source

https://github.com/advisories/GHSA-hr3h-x6gq-rqcp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-hr3h-x6gq-rqcp/GHSA-hr3h-x6gq-rqcp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hr3h-x6gq-rqcp

Aliases

CVE-2021-35955

Published

2021-08-25T14:45:01Z

Modified

2024-04-22T19:06:31.737083Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L CVSS Calculator

Summary

Cross site scripting via HTML attributes in the back end

Details

Impact

It is possible for untrusted users to inject malicious code into HTML attributes in the back end, which will be executed both in the element preview (back end) and on the website (front end).

Installations are only affected if there are untrusted back end users who have the rights to modify HTML fields (e.g. TinyMCE).

Patches

Update to Contao 4.4.56, 4.9.18 or 4.11.7

Workarounds

Disable all fields that allow HTML for untrusted back end users or disable the login for these users.

References

https://contao.org/en/security-advisories/cross-site-scripting-via-html-attributes-in-the-back-end

For more information

If you have any questions or comments about this advisory, open an issue in contao/contao.

Credits

Thanks to Mikhail Khramenkov and Moritz Vondano for reporting this security issue.

Database specific

{
    "nvd_published_at": "2021-08-12T15:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-24T18:55:48Z"
}

References

Affected packages

Packagist / contao/core-bundle

Package

Name: contao/core-bundle
Purl: pkg:composer/contao/core-bundle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.4.56

Affected versions

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.1.0-beta1

4.1.0-RC1

4.1.0

4.1.1

4.1.2

4.1.3

4.2.0-beta1

4.2.0-RC1

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.3.0-RC1

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.3.6

4.3.7

4.3.8

4.3.9

4.3.10

4.3.11

4.4.0-beta1

4.4.0-RC1

4.4.0-RC2

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.4.6

4.4.7

4.4.8

4.4.9

4.4.10

4.4.11

4.4.12

4.4.13

4.4.14

4.4.15

4.4.16

4.4.17

4.4.18

4.4.19

4.4.20

4.4.21

4.4.22

4.4.23

4.4.24

4.4.25

4.4.26

4.4.27

4.4.28

4.4.29

4.4.30

4.4.31

4.4.32

4.4.33

4.4.34

4.4.35

4.4.36

4.4.37

4.4.38

4.4.39

4.4.40

4.4.41

4.4.42

4.4.43

4.4.44

4.4.45

4.4.46

4.4.47

4.4.48

4.4.49

4.4.50

4.4.51

4.4.52

4.4.53

4.4.54

4.4.55

Packagist / contao/contao

Package

Name: contao/contao
Purl: pkg:composer/contao/contao

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.4.56

Affected versions

4.*

4.4.22

4.4.23

4.4.24

4.4.25

4.4.26

4.4.27

4.4.28

4.4.29

4.4.30

4.4.31

4.4.32

4.4.33

4.4.34

4.4.35

4.4.36

4.4.37

4.4.38

4.4.39

4.4.40

4.4.41

4.4.42

4.4.43

4.4.44

4.4.45

4.4.46

4.4.47

4.4.48

4.4.49

4.4.50

4.4.51

4.4.52

4.4.53

4.4.54

4.4.55

Packagist / contao/contao

Package

Name: contao/contao
Purl: pkg:composer/contao/contao

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.5.0

Fixed

4.9.18

Affected versions

4.*

4.5.13

4.5.14

4.6.0

4.6.1

4.6.2

4.6.3

4.6.4

4.6.5

4.6.6

4.6.7

4.6.8

4.6.9

4.6.10

4.6.11

4.6.12

4.6.13

4.6.14

4.7.0-RC1

4.7.0-RC2

4.7.0-RC3

4.7.0-RC4

4.7.0

4.7.1

4.7.2

4.7.3

4.7.4

4.7.5

4.7.6

4.7.7

4.8.0-RC1

4.8.0-RC2

4.8.0

4.8.1

4.8.2

4.8.3

4.8.4

4.8.5

4.8.6

4.8.7

4.8.8

4.9.0-RC1

4.9.0-RC2

4.9.0

4.9.1

4.9.2

4.9.3

4.9.4

4.9.5

4.9.6

4.9.7

4.9.8

4.9.9

4.9.10

4.9.11

4.9.12

4.9.13

4.9.14

4.9.15

4.9.16

4.9.17

Packagist / contao/contao

Package

Name: contao/contao
Purl: pkg:composer/contao/contao

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.10.0

Fixed

4.11.7

Affected versions

4.*

4.10.0

4.10.1

4.10.2

4.10.3

4.10.4

4.10.5

4.10.6

4.10.7

4.11.0-RC1

4.11.0-RC2

4.11.0

4.11.1

4.11.2

4.11.3

4.11.4

4.11.5

4.11.6

Packagist / contao/core-bundle

Package

Name: contao/core-bundle
Purl: pkg:composer/contao/core-bundle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.5.0

Fixed

4.9.18

Affected versions

4.*

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

4.5.5

4.5.6

4.5.7

4.5.8

4.5.9

4.5.10

4.5.11

4.5.12

4.5.13

4.5.14

4.6.0-RC1

4.6.0-RC2

4.6.0-RC3

4.6.0

4.6.1

4.6.2

4.6.3

4.6.4

4.6.5

4.6.6

4.6.7

4.6.8

4.6.9

4.6.10

4.6.11

4.6.12

4.6.13

4.6.14

4.7.0-RC1

4.7.0-RC2

4.7.0-RC3

4.7.0-RC4

4.7.0

4.7.1

4.7.2

4.7.3

4.7.4

4.7.5

4.7.6

4.7.7

4.8.0-RC1

4.8.0-RC2

4.8.0

4.8.1

4.8.2

4.8.3

4.8.4

4.8.5

4.8.6

4.8.7

4.8.8

4.9.0-RC1

4.9.0-RC2

4.9.0

4.9.1

4.9.2

4.9.3

4.9.4

4.9.5

4.9.6

4.9.7

4.9.8

4.9.9

4.9.10

4.9.11

4.9.12

4.9.13

4.9.14

4.9.15

4.9.16

4.9.17

Packagist / contao/core-bundle

Package

Name: contao/core-bundle
Purl: pkg:composer/contao/core-bundle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.10.0

Fixed

4.11.7

Affected versions

4.*

4.10.0

4.10.1

4.10.2

4.10.3

4.10.4

4.10.5

4.10.6

4.10.7

4.11.0-RC1

4.11.0-RC2

4.11.0

4.11.1

4.11.2

4.11.3

4.11.4

4.11.5

4.11.6