Martin Auswöger

9 exploits Active since May 2022
CVE-2023-36806 WRITEUP MEDIUM WRITEUP
Contao <4.9.42, <4.13.28, <5.1.10 - Code Injection
Contao is an open source content management system. Starting in version 4.0.0 and prior to versions 4.9.42, 4.13.28, and 5.1.10, it is possible for untrusted backend users to inject malicious code into headline fields in the back end, which will be executed both in the element preview (back end) and on the website (front end). Installations are only affected if there are untrusted back end users who have the rights to modify headline fields, or other fields using the input unit widget. Contao 4.9.42, 4.13.28, and 5.1.10 have a patch for this issue. As a workaround, disable the login for all untrusted back end users.
CVSS 6.5
CVE-2024-28190 WRITEUP MEDIUM WRITEUP
Contao 4.0.0-4.13.39 - Stored Cross-Site Scripting via Filename Upload
Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can inject malicious code in filenames when uploading files (back end and front end), which is then executed in tooltips and popups in the back end. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, remove upload fields from frontend forms and disable uploads for untrusted back end users.
CVSS 5.4
CVE-2024-28191 WRITEUP LOW WRITEUP
Contao 4.0.0-4.13.39 - Insert Tag Injection via Form Generator
Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, it is possible to inject insert tags in frontend forms if the output is structured in a very specific way. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, do not output user data from frontend forms next to each other, always separate them by at least one character.
CVSS 3.1
CVE-2024-28234 WRITEUP MEDIUM WRITEUP
Contao 2.0.0-4.13.39 and 5.0.0-5.3.3 - CSS Injection via BBCode in Comments
Contao is an open source content management system. Starting in version 2.0.0 and prior to versions 4.13.40 and 5.3.4, it is possible to inject CSS styles via BBCode in comments. Installations are only affected if BBCode is enabled. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, disable BBCode for comments.
CVSS 4.3
CVE-2022-24899 WRITEUP HIGH WRITEUP
Contao 4.13.0-4.13.2 - Cross-Site Scripting via Canonical URL
Contao is a powerful open source CMS that allows you to create professional websites and scalable web applications. In versions of Contao prior to 4.13.3 it is possible to inject code into the canonical tag. As a workaround users may disable canonical tags in the root page settings.
CVSS 7.2
CVE-2023-36806 WRITEUP MEDIUM WRITEUP
Contao <4.9.42, <4.13.28, <5.1.10 - Code Injection
Contao is an open source content management system. Starting in version 4.0.0 and prior to versions 4.9.42, 4.13.28, and 5.1.10, it is possible for untrusted backend users to inject malicious code into headline fields in the back end, which will be executed both in the element preview (back end) and on the website (front end). Installations are only affected if there are untrusted back end users who have the rights to modify headline fields, or other fields using the input unit widget. Contao 4.9.42, 4.13.28, and 5.1.10 have a patch for this issue. As a workaround, disable the login for all untrusted back end users.
CVSS 6.5
CVE-2024-28190 WRITEUP MEDIUM WRITEUP
Contao 4.0.0-4.13.39 - Stored Cross-Site Scripting via Filename Upload
Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, users can inject malicious code in filenames when uploading files (back end and front end), which is then executed in tooltips and popups in the back end. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, remove upload fields from frontend forms and disable uploads for untrusted back end users.
CVSS 5.4
CVE-2024-28191 WRITEUP LOW WRITEUP
Contao 4.0.0-4.13.39 - Insert Tag Injection via Form Generator
Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, it is possible to inject insert tags in frontend forms if the output is structured in a very specific way. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, do not output user data from frontend forms next to each other, always separate them by at least one character.
CVSS 3.1
CVE-2024-28234 WRITEUP MEDIUM WRITEUP
Contao 2.0.0-4.13.39 and 5.0.0-5.3.3 - CSS Injection via BBCode in Comments
Contao is an open source content management system. Starting in version 2.0.0 and prior to versions 4.13.40 and 5.3.4, it is possible to inject CSS styles via BBCode in comments. Installations are only affected if BBCode is enabled. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, disable BBCode for comments.
CVSS 4.3