CVE-2024-28235: Contao: Possible cookie sharing with external domains while checking protected pages for broken links
If the crawler is set to crawl protected pages, it sends the cookie header to externals URLs.
References
- contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler
- github.com/advisories/GHSA-9jh5-qf84-x6pr
- github.com/contao/contao
- github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php
- github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16
- github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d
- github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr
- nvd.nist.gov/vuln/detail/CVE-2024-28235
Detect and mitigate CVE-2024-28235 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →