Impact
Users can insert malicious code into file names when uploading files, which is then executed in tooltips and popups in the backend.
Patches
Update to Contao 4.13.40 or Contao 5.3.4.
Workarounds
Disable uploads for untrusted users.
References
https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
Credits
Thanks to Alexander Wuttke for reporting this vulnerability.
Impact
Users can insert malicious code into file names when uploading files, which is then executed in tooltips and popups in the backend.
Patches
Update to Contao 4.13.40 or Contao 5.3.4.
Workarounds
Disable uploads for untrusted users.
References
https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
Credits
Thanks to Alexander Wuttke for reporting this vulnerability.