Home > Vulnerability Database > CVE-2024-28234

Mend.io Vulnerability Database

CVE-2024-28234

Date: April 9, 2024

Contao is an open source content management system. Starting in version 2.0.0 and prior to versions 4.13.40 and 5.3.4, it is possible to inject CSS styles via BBCode in comments. Installations are only affected if BBCode is enabled. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, disable BBCode for comments.

Language: PHP

Severity Score

4.3

Related Resources (7)

Url: https://github.com/contao/contao/security/advisories/GHSA-j55w-hjpj-825g

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-28234

Url: https://github.com/contao/contao

Url: https://github.com/contao/contao/commit/6d42e667177c972ae7c219645593c262d7764ce2

Url: https://contao.org/en/security-advisories/insufficient-bbcode-sanitization

Url: https://github.com/contao/contao/commit/55b995d8d35da0d36bc6a22c53fe6423ab0c4ae2

Url: https://www.mend.io/vulnerability-database/CVE-2024-28234

Severity Score

4.3

Weakness Type (CWE)

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

CVSS v3.1

Base Score:	4.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-28234

Date: April 9, 2024

Language: PHP

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?