CVE-2024-28190

Description

### Impact Users can insert malicious code into file names when uploading files, which is then executed in tooltips and popups in the backend. ### Patches Update to Contao 4.13.40 or Contao 5.3.4. ### Workarounds Disable uploads for untrusted users. ### References https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose). ### Credits Thanks to Alexander Wuttke for reporting this vulnerability.

How to fix CVE-2024-28190

To remediate CVE-2024-28190, upgrade the affected package to a fixed version below.

• —upgrade to 4.13.40 or later

Is CVE-2024-28190 being exploited?

Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 4.0.0, < 4.13.40

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-28190
• PATCHgithub.com/contao/contao
• WEBcontao.org/en/security-advisories/cross-site-scripting-in-the-file-manager
• WEBgithub.com/contao/contao/commit/878d28dbe0f408740555d6fc8b634bd3f8febfce