CVE-2011-0508

Contao Cms - XSS

Title source: rule

Description

Cross-site scripting (XSS) vulnerability in system/modules/comments/Comments.php in Contao CMS 2.9.2, and possibly other versions before 2.9.3, allows remote attackers to inject arbitrary web script or HTML via the HTTP X_FORWARDED_FOR header, which is stored by system/libraries/Environment.php but not properly handled by a comments action to main.php.

References (7)

[Vendor Advisory] http://secunia.com/advisories/42899

[Patch] http://www.contao.org/changelog.html

[Patch, Vendor Advisory] http://www.contao.org/news/items/contao-2_9_3.html

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/64679

[Issue Tracking] http://dev.contao.org/issues/2751

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/515691/100/0/threaded

[Third Party Advisory, VDB Entry] http://www.osvdb.org/70440

Scores

EPSS 0.0050

EPSS Percentile 65.6%

Classification

CWE

CWE-79

Status published

Affected Products (2)

contao/contao_cms

n/a/n/a

Timeline

Published Jan 20, 2011

Tracked Since Feb 18, 2026