Home > Vulnerability Database > CVE-2024-28191

Mend.io Vulnerability Database

CVE-2024-28191

Date: April 9, 2024

Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, it is possible to inject insert tags in frontend forms if the output is structured in a very specific way. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, do not output user data from frontend forms next to each other, always separate them by at least one character.

Language: PHP

Severity Score

3.1

Related Resources (7)

Url: https://github.com/contao/contao/commit/388859dcf110ca70e0fae68a2a5579ab6a702919

Url: https://github.com/contao/contao/commit/474a2fc25f1d84d786aba8c6d234af99e64d016b

Url: https://github.com/contao/contao

Url: https://contao.org/en/security-advisories/insert-tag-injection-via-the-form-generator

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-28191

Url: https://github.com/contao/contao/security/advisories/GHSA-747v-52c4-8vj8

Url: https://www.mend.io/vulnerability-database/CVE-2024-28191

Severity Score

3.1

Weakness Type (CWE)

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

CVSS v3.1

Base Score:	3.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-28191

Date: April 9, 2024

Language: PHP

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?