Description
Contao is an open source content management system. Starting in version 2.0.0 and prior to versions 4.13.40 and 5.3.4, it is possible to inject CSS styles via BBCode in comments. Installations are only affected if BBCode is enabled. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, disable BBCode for comments.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/contao/contao/security/advisories/GHSA-j55w-hjpj-825g
Patch x_refsource_misc
https://github.com/contao/contao/commit/55b995d8d35da0d36bc6a22c53fe6423ab0c4ae2
Patch x_refsource_misc
https://github.com/contao/contao/commit/6d42e667177c972ae7c219645593c262d7764ce2
Vendor Advisory x_refsource_misc
https://contao.org/en/security-advisories/insufficient-bbcode-sanitization
Scores
CVSS v3
4.3
EPSS
0.0070
EPSS Percentile
72.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-74
Status
published
Products (2)
contao/comments-bundle
2.0.0 - 4.13.40Packagist
contao/contao
2.0 - 4.13.40
Published
Apr 09, 2024
Tracked Since
Feb 18, 2026