CVE-2024-28234

low-risk
Published 2024-04-09

Contao is an open source content management system. Starting in version 2.0.0 and prior to versions 4.13.40 and 5.3.4, it is possible to inject CSS styles via BBCode in comments. Installations are only affected if BBCode is enabled. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, disable BBCode for comments.

Do I need to act?

-
0.70% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Contao

References (8)

Vendor Advisory https://contao.org/en/security-advisories/insufficient-bbcode-sanitization
Patch https://github.com/contao/contao/commit/55b995d8d35da0d36bc6a22c53fe6423ab0c4ae2
Patch https://github.com/contao/contao/commit/6d42e667177c972ae7c219645593c262d7764ce2
Vendor Advisory https://github.com/contao/contao/security/advisories/GHSA-j55w-hjpj-825g
Vendor Advisory https://contao.org/en/security-advisories/insufficient-bbcode-sanitization
Patch https://github.com/contao/contao/commit/55b995d8d35da0d36bc6a22c53fe6423ab0c4ae2
Patch https://github.com/contao/contao/commit/6d42e667177c972ae7c219645593c262d7764ce2
Vendor Advisory https://github.com/contao/contao/security/advisories/GHSA-j55w-hjpj-825g
25
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 2/34 · Minimal
Exposure 5/34 · Minimal