gsd-2018-5478
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
Contao 3.x before 3.5.32 allows XSS via the unsubscribe module in the frontend newsletter extension.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2018-5478",
"id": "GSD-2018-5478"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2018-5478"
],
"details": "Contao 3.x before 3.5.32 allows XSS via the unsubscribe module in the frontend newsletter extension.",
"id": "GSD-2018-5478",
"modified": "2023-12-13T01:22:39.548167Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-5478",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Contao 3.x before 3.5.32 allows XSS via the unsubscribe module in the frontend newsletter extension."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/CVE-2018-5478.yaml",
"refsource": "MISC",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/CVE-2018-5478.yaml"
},
{
"name": "https://security.snyk.io/vuln/SNYK-PHP-CONTAOCORE-70397",
"refsource": "MISC",
"url": "https://security.snyk.io/vuln/SNYK-PHP-CONTAOCORE-70397"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c3.5.32",
"affected_versions": "All versions before 3.5.32",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2018-01-18",
"description": "There\u0027s a XSS vulnerability is in the \"unsubscribe\" module of the newsletter extension and it can easily be exploited by anyone in the front end. If you are not using the newsletter extension or the \"unsubscribe\" module, your installation is not affected by the vulnerability.",
"fixed_versions": [],
"identifier": "CVE-2018-5478",
"identifiers": [
"CVE-2018-5478"
],
"package_slug": "packagist/contao/core",
"pubdate": "2018-01-18",
"solution": "Fixed version 3.5.32 is not published yet but can be installed from GitHub.\r\n\r\nThe fixed version is available from https://github.com/contao/core/tree/3.5.32",
"title": "XSS vulnerability in the newsletter extension",
"urls": [
"https://contao.org/en/news/contao-3_5_32.html"
],
"uuid": "6b944d09-69d0-40b1-9706-77f802701593"
},
{
"affected_range": "\u003e=4.0.0-alpha0, \u003c=4.0.3",
"affected_versions": "All versions starting from 4.0.0-alpha0 up to 4.0.3",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2018-01-18",
"description": "The vulnerability is in the \"unsubscribe\" module of the newsletter extension and can easily be exploited by anyone in the front end. If you are not using the newsletter extension or the \"unsubscribe\" module, your installation is not affected by the vulnerability.",
"fixed_versions": [
"4.1.0"
],
"identifier": "CVE-2018-5478",
"identifiers": [
"CVE-2018-5478"
],
"not_impacted": "All versions before 4.0.0-alpha0, all versions after 4.0.3",
"package_slug": "packagist/contao/newsletter-bundle",
"pubdate": "2018-01-18",
"solution": "Upgrade to version 4.1.0 or above.",
"title": "XSS vulnerability in the newsletter extension",
"urls": [
"https://contao.org/en/news/contao-3_5_32.html"
],
"uuid": "dfb22455-da4d-454d-b11e-c7ec231a170a"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.5.32",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-5478"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Contao 3.x before 3.5.32 allows XSS via the unsubscribe module in the frontend newsletter extension."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.snyk.io/vuln/SNYK-PHP-CONTAOCORE-70397",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-PHP-CONTAOCORE-70397"
},
{
"name": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/CVE-2018-5478.yaml",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core/CVE-2018-5478.yaml"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7
}
},
"lastModifiedDate": "2023-09-23T03:42Z",
"publishedDate": "2023-09-21T06:15Z"
}
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.