Cross site scripting in the file manager

Date: 2024-04-09
CVE ID: CVE-2024-28190

Users can insert malicious code into file names when uploading files, which is then executed in tooltips and popups in the backend.

Affected versions

Contao 4.0
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4
Contao 4.5
Contao 4.6
Contao 4.7
Contao 4.8
Contao 4.9
Contao 4.10
Contao 4.11
Contao 4.12
Contao 4.13 up to 4.13.39
Contao 5.0
Contao 5.1
Contao 5.2
Contao 5.3 up to 5.3.3

Suggested solution

Upgrade to Contao 4.13.40 or 5.3.4.

Workaround

Disable uploads for untrusted users.

More information

https://github.com/contao/contao/security/advisories/GHSA-v24p-7p4j-qvvf