First published: Tue Jul 25 2023(Updated: )
### Impact Authenticated users can inject malicious code in widgets with units, which is then executed both in the element preview (back end) and on the website (front end). ### Patches Update to Contao 4.9.42, 4.13.28 or 5.1.10. ### Workarounds Disable login for all untrusted back end users. ### References https://contao.org/en/security-advisories/cross-site-scripting-in-widgets-with-units ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose). ### Credits Thanks to Christian Pöschl and Fabian Brenner from usd AG for reporting this vulnerability.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Contao Contao | >=5.0.0<5.1.10 | |
Contao Contao | >=4.10.0<4.13.28 | |
Contao Contao | >=4.0.0<4.9.42 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Authenticated users can inject malicious code in widgets with units, which is then executed both in the element preview (back end) and on the website (front end).
Update to Contao 4.9.42, 4.13.28, or 5.1.10.
Disable login for all untrusted back end users.
The severity of CVE-2023-36806 is medium with a CVSS score of 6.6.
The CWE for CVE-2023-36806 is CWE-79.