Security advisories

Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.

Session cookie disclosure in the crawler

2024-04-09 07:16 by Leo Feyer

Date: 2024-04-09
CVE ID: CVE-2024-28235

If the crawler is set to crawl protected pages, it sends the cookie header to externals URLs.

Affected versions

Contao 4.0
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4
Contao 4.5
Contao 4.6
Contao 4.7
Contao 4.8
Contao 4.9
Contao 4.10
Contao 4.11
Contao 4.12
Contao 4.13 up to 4.13.39
Contao 5.0
Contao 5.1
Contao 5.2
Contao 5.3 up to 5.3.3

Suggested solution

Upgrade to Contao 4.13.40 or 5.3.4.

Workaround

Disable crawling protected pages.

More information

https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr

Show all security advisories

Security advisories

Session cookie disclosure in the crawler

Archive

Subscribe