CVE-2021-35955: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
(updated )
Contao >=4.0.0 allows backend XSS via HTML attributes to an HTML field. Fixed in 4.4.56, 4.9.18, 4.11.7.
References
- contao.org/en/news/contao-4-9-16-and-4-11-5-are-available.html
- contao.org/en/security-advisories/cross-site-scripting-via-html-attributes-in-the-back-end.html
- github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2021-35955.yaml
- github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2021-35955.yaml
- github.com/advisories/GHSA-hr3h-x6gq-rqcp
- github.com/contao/contao/security/advisories/GHSA-hr3h-x6gq-rqcp
- nvd.nist.gov/vuln/detail/CVE-2021-35955
Detect and mitigate CVE-2021-35955 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →