gsd - gsd-2024-28234

gsd-2024-28234

Vulnerability from gsd

Modified

2024-03-08 06:02

Details

Contao is an open source content management system. Starting in version 2.0.0 and prior to versions 4.13.40 and 5.3.4, it is possible to inject CSS styles via BBCode in comments. Installations are only affected if BBCode is enabled. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, disable BBCode for comments.

Aliases

CVE-2024-28234

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-28234"
      ],
      "details": "Contao is an open source content management system. Starting in version 2.0.0 and prior to versions 4.13.40 and 5.3.4, it is possible to inject CSS styles via BBCode in comments. Installations are only affected if BBCode is enabled. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, disable BBCode for comments.",
      "id": "GSD-2024-28234",
      "modified": "2024-03-08T06:02:46.545265Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2024-28234",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "contao",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 2.0.0, \u003c 4.13.40"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 5.0.0, \u003c 5.3.4"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "contao"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Contao is an open source content management system. Starting in version 2.0.0 and prior to versions 4.13.40 and 5.3.4, it is possible to inject CSS styles via BBCode in comments. Installations are only affected if BBCode is enabled. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, disable BBCode for comments."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-74",
                "lang": "eng",
                "value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/contao/contao/security/advisories/GHSA-j55w-hjpj-825g",
            "refsource": "MISC",
            "url": "https://github.com/contao/contao/security/advisories/GHSA-j55w-hjpj-825g"
          },
          {
            "name": "https://github.com/contao/contao/commit/55b995d8d35da0d36bc6a22c53fe6423ab0c4ae2",
            "refsource": "MISC",
            "url": "https://github.com/contao/contao/commit/55b995d8d35da0d36bc6a22c53fe6423ab0c4ae2"
          },
          {
            "name": "https://github.com/contao/contao/commit/6d42e667177c972ae7c219645593c262d7764ce2",
            "refsource": "MISC",
            "url": "https://github.com/contao/contao/commit/6d42e667177c972ae7c219645593c262d7764ce2"
          },
          {
            "name": "https://contao.org/en/security-advisories/insufficient-bbcode-sanitization",
            "refsource": "MISC",
            "url": "https://contao.org/en/security-advisories/insufficient-bbcode-sanitization"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-j55w-hjpj-825g",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "Contao is an open source content management system. Starting in version 2.0.0 and prior to versions 4.13.40 and 5.3.4, it is possible to inject CSS styles via BBCode in comments. Installations are only affected if BBCode is enabled. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, disable BBCode for comments."
          },
          {
            "lang": "es",
            "value": "Contao es un sistema de gesti\u00f3n de contenidos de c\u00f3digo abierto. A partir de la versi\u00f3n 2.0.0 y anteriores a las versiones 4.13.40 y 5.3.4, es posible inyectar estilos CSS a trav\u00e9s de BBCode en los comentarios. Las instalaciones s\u00f3lo se ven afectadas si BBCode est\u00e1 habilitado. Las versiones 4.13.40 y 5.3.4 de Contao tienen un parche para este problema. Como workaround, desactive BBCode para comentarios."
          }
        ],
        "id": "CVE-2024-28234",
        "lastModified": "2024-04-10T13:24:22.187",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 1.4,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-04-09T14:15:08.897",
        "references": [
          {
            "source": "security-advisories@github.com",
            "url": "https://contao.org/en/security-advisories/insufficient-bbcode-sanitization"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/contao/contao/commit/55b995d8d35da0d36bc6a22c53fe6423ab0c4ae2"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/contao/contao/commit/6d42e667177c972ae7c219645593c262d7764ce2"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/contao/contao/security/advisories/GHSA-j55w-hjpj-825g"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-74"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

cve-2024-28234

Vulnerability from cvelistv5

Published

2024-04-09 13:59

Modified

2024-08-02 00:48

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Summary

Contao has insufficient BBCode sanitizer

References

▼	URL	Tags
	https://github.com/contao/contao/security/advisories/GHSA-j55w-hjpj-825g	x_refsource_CONFIRM
	https://github.com/contao/contao/commit/55b995d8d35da0d36bc6a22c53fe6423ab0c4ae2	x_refsource_MISC
	https://github.com/contao/contao/commit/6d42e667177c972ae7c219645593c262d7764ce2	x_refsource_MISC
	https://contao.org/en/security-advisories/insufficient-bbcode-sanitization	x_refsource_MISC

Impacted products

▼	Vendor	Product
	contao	contao

Show details on NVD website