Home > Vulnerability Database > CVE-2024-28235

Mend.io Vulnerability Database

CVE-2024-28235

Date: April 9, 2024

Contao is an open source content management system. Starting in version 4.9.0 and prior to versions 4.13.40 and 5.3.4, when checking for broken links on protected pages, Contao sends the cookie header to external urls as well, the passed options for the http client are used for all requests. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, disable crawling protected pages.

Language: PHP

Severity Score

8.3

Related Resources (8)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-28235

Url: https://github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d

Url: https://github.com/contao/contao

Url: https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr

Url: https://github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php#L129

Url: https://github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16

Url: https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler

Url: https://www.mend.io/vulnerability-database/CVE-2024-28235

Severity Score

8.3

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

CVSS v3.1

Base Score:	8.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-28235

Date: April 9, 2024

Language: PHP

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?