Security advisories
Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.
Cross site scripting in the file manager
by Leo Feyer
Date: 2024-04-09
CVE ID: CVE-2024-28190
Users can insert malicious code into file names when uploading files, which is then executed in tooltips and popups in the backend.
Affected versions
Contao 4.0
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4
Contao 4.5
Contao 4.6
Contao 4.7
Contao 4.8
Contao 4.9
Contao 4.10
Contao 4.11
Contao 4.12
Contao 4.13 up to 4.13.39
Contao 5.0
Contao 5.1
Contao 5.2
Contao 5.3 up to 5.3.3
Suggested solution
Upgrade to Contao 4.13.40 or 5.3.4.
Workaround
Disable uploads for untrusted users.
More information
https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf