Session cookie disclosure in the crawler

Date: 2024-04-09
CVE ID: CVE-2024-28235

If the crawler is set to crawl protected pages, it sends the cookie header to externals URLs.

Affected versions

Contao 4.0
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4
Contao 4.5
Contao 4.6
Contao 4.7
Contao 4.8
Contao 4.9
Contao 4.10
Contao 4.11
Contao 4.12
Contao 4.13 up to 4.13.39
Contao 5.0
Contao 5.1
Contao 5.2
Contao 5.3 up to 5.3.3

Suggested solution

Upgrade to Contao 4.13.40 or 5.3.4.

Workaround

Disable crawling protected pages.

More information

https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr