What is CVE-2021-35210?

CVE-2021-35210 is a cross-site scripting (XSS) vulnerability in the system log of Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5.

How does CVE-2021-35210 affect the system?

CVE-2021-35210 allows an attacker to inject code into the system log table that will be executed in the browser when the system log is called in the back end.

What is the severity of CVE-2021-35210?

CVE-2021-35210 has a severity rating of 6.1 (medium).

What software versions are affected by CVE-2021-35210?

Contao versions 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5 are affected by CVE-2021-35210.

How can I fix CVE-2021-35210?

To fix CVE-2021-35210, update Contao to version 4.9.16 or 4.11.5 depending on the branch you are using.

Vulnerability/
CVE-2021-35210

medium

6.1

CWE

23/6/2021

22/4/2024

CVE-2021-35210: XSS

First published: Wed Jun 23 2021(Updated: )

### Impact It is possible to inject code into the `tl_log` table that will be executed in the browser when the system log is called in the back end. ### Patches Update to Contao 4.9.16 or 4.11.5. ### Workarounds Disable the system log module in the back end for all users (especially admin users). ### References https://contao.org/en/security-advisories/cross-site-scripting-in-the-system-log-2021 ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
composer/contao/core-bundle	>=4.5.0<4.9.16>=4.10.0<4.11.0>=4.11.0<4.11.5
composer/contao/contao	>=4.5.0<4.9.16>=4.10.0<4.11.0>=4.11.0<4.11.5
Contao Contao	>=4.5.0<4.9.16
Contao Contao	>=4.10.0<4.11.5
composer/contao/contao	>=4.10.0<4.11.5	4.11.5
composer/contao/contao	>=4.5.0<4.9.16	4.9.16
composer/contao/core-bundle	>=4.10.0<4.11.5	4.11.5
composer/contao/core-bundle	>=4.5.0<4.9.16	4.9.16
	>=4.5.0<4.9.16
	>=4.10.0<4.11.5

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-35210?
CVE-2021-35210 is a cross-site scripting (XSS) vulnerability in the system log of Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5.
How does CVE-2021-35210 affect the system?
CVE-2021-35210 allows an attacker to inject code into the system log table that will be executed in the browser when the system log is called in the back end.
What is the severity of CVE-2021-35210?
CVE-2021-35210 has a severity rating of 6.1 (medium).
What software versions are affected by CVE-2021-35210?
Contao versions 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5 are affected by CVE-2021-35210.
How can I fix CVE-2021-35210?
To fix CVE-2021-35210, update Contao to version 4.9.16 or 4.11.5 depending on the branch you are using.

collector/friends-of-php
collector/nvd-index
agent/type
agent/first-publish-date
collector/github-advisory-latest
source/GitHub
alias/GHSA-h58v-c6rf-g9f7
alias/CVE-2021-35210
agent/software-canonical-lookup
agent/references
agent/last-modified-date
agent/severity
agent/weakness
agent/description
agent/author
agent/tags
agent/softwarecombine
agent/event
collector/nvd-cve
source/NVD
collector/github-advisory
package-manager/composer
vendor/contao
canonical/contao contao
version/contao contao/4.5.0
version/contao contao/4.10.0