CVE-2021-35955: Cross site scripting via HTML attributes in the back end
(updated )
It is possible for untrusted users to inject malicious code into HTML attributes in the back end, which will be executed both in the element preview (back end) and on the website (front end).
Installations are only affected if there are untrusted back end users who have the rights to modify HTML fields (e.g. TinyMCE).
References
- contao.org/en/news/contao-4-9-16-and-4-11-5-are-available.html
- contao.org/en/security-advisories/cross-site-scripting-via-html-attributes-in-the-back-end.html
- github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2021-35955.yaml
- github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2021-35955.yaml
- github.com/advisories/GHSA-hr3h-x6gq-rqcp
- github.com/contao/contao
- github.com/contao/contao/security/advisories/GHSA-hr3h-x6gq-rqcp
- nvd.nist.gov/vuln/detail/CVE-2021-35955
Code Behaviors & Features
Detect and mitigate CVE-2021-35955 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →