Security advisories

Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.

Insufficient BBCode sanitization

2024-04-09 07:12 by Leo Feyer

Date: 2024-04-09
CVE ID: CVE-2024-28234

If BBCode is enabled for comments, users can inject CSS styles.

Affected versions

Contao 4.0
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4
Contao 4.5
Contao 4.6
Contao 4.7
Contao 4.8
Contao 4.9
Contao 4.10
Contao 4.11
Contao 4.12
Contao 4.13 up to 4.13.39
Contao 5.0
Contao 5.1
Contao 5.2
Contao 5.3 up to 5.3.3

Suggested solution

Upgrade to Contao 4.13.40 or 5.3.4.

Workaround

Disable BBCode for comments.

More information

https://github.com/contao/contao/security/advisories/GHSA-j55w-hjpj-825g

Show all security advisories

Security advisories

Insufficient BBCode sanitization

Archive

Subscribe