Cross site scripting via input unit widget
Package
Affected versions
>= 4.0.0, < 4.9.42
>= 4.10.0, < 4.13.28
>= 5.0.0, < 5.1.10
Patched versions
4.9.42
4.13.28
5.1.10
Description
Published to the GitHub Advisory Database
Jul 25, 2023
Reviewed
Jul 25, 2023
Published by the National Vulnerability Database
Jul 25, 2023
Last updated
Nov 15, 2023
Impact
Authenticated users can inject malicious code in widgets with units, which is then executed both in the element preview (back end) and on the website (front end).
Patches
Update to Contao 4.9.42, 4.13.28 or 5.1.10.
Workarounds
Disable login for all untrusted back end users.
References
https://contao.org/en/security-advisories/cross-site-scripting-in-widgets-with-units
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
Credits
Thanks to Christian Pöschl and Fabian Brenner from usd AG for reporting this vulnerability.
References