by Leo Feyer

Insufficient BBCode sanitization

Date: 2024-04-09
CVE ID: CVE-2024-28234

If BBCode is enabled for comments, users can inject CSS styles.

Affected versions

Contao 4.0
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4
Contao 4.5
Contao 4.6
Contao 4.7
Contao 4.8
Contao 4.9
Contao 4.10
Contao 4.11
Contao 4.12
Contao 4.13 up to 4.13.39
Contao 5.0
Contao 5.1
Contao 5.2
Contao 5.3 up to 5.3.3

Suggested solution

Upgrade to Contao 4.13.40 or 5.3.4.

Workaround

Disable BBCode for comments.

More information

https://github.com/contao/contao/security/advisories/GHSA-j55w-hjpj-825g

Show all security advisories