GHSA-vqqr-fgmh-f626
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vqqr-fgmh-f626
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-vqqr-fgmh-f626/GHSA-vqqr-fgmh-f626.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-vqqr-fgmh-f626
- Aliases
-
- CVE-2025-29790
- Published
- 2025-03-18T21:07:17Z
- Modified
- 2025-03-19T15:58:56.704123Z
- Severity
-
- 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Contao Vulnerable to Cross-Site Scripting (XSS) through SVG uploads
- Details
-
Impact
Users can upload SVG files with malicious code, which is then executed in the back end and/or front end.
Patches
Update to Contao 4.13.54, 5.3.30 or 5.5.6.
Workarounds
Remove
svg,svgzfrom the allowed upload file types in the system settings and fromcontao.editable_filesin theconfig.yaml.References
https://contao.org/en/security-advisories/cross-site-scripting-through-svg-uploads
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
- Database specific
{ "nvd_published_at": "2025-03-18T19:15:50Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-03-18T21:07:17Z" }- References
Affected packages
Packagist / contao/core-bundle
Package
- Name
- contao/core-bundle
- Purl
- pkg:composer/contao/core-bundle
Affected versions
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.1.0-beta1
4.1.0-RC1
4.1.0
4.1.1
4.1.2
4.1.3
4.2.0-beta1
4.2.0-RC1
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.3.0-RC1
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
4.3.6
4.3.7
4.3.8
4.3.9
4.3.10
4.3.11
4.4.0-beta1
4.4.0-RC1
4.4.0-RC2
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.7
4.4.8
4.4.9
4.4.10
4.4.11
4.4.12
4.4.13
4.4.14
4.4.15
4.4.16
4.4.17
4.4.18
4.4.19
4.4.20
4.4.21
4.4.22
4.4.23
4.4.24
4.4.25
4.4.26
4.4.27
4.4.28
4.4.29
4.4.30
4.4.31
4.4.32
4.4.33
4.4.34
4.4.35
4.4.36
4.4.37
4.4.38
4.4.39
4.4.40
4.4.41
4.4.42
4.4.43
4.4.44
4.4.45
4.4.46
4.4.47
4.4.48
4.4.49
4.4.50
4.4.51
4.4.52
4.4.53
4.4.54
4.4.55
4.4.56
4.4.57
4.5.0-beta1
4.5.0-beta2
4.5.0-beta3
4.5.0-RC1
4.5.0-RC2
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
4.5.6
4.5.7
4.5.8
4.5.9
4.5.10
4.5.11
4.5.12
4.5.13
4.5.14
4.6.0-RC1
4.6.0-RC2
4.6.0-RC3
4.6.0
4.6.1
4.6.2
4.6.3
4.6.4
4.6.5
4.6.6
4.6.7
4.6.8
4.6.9
4.6.10
4.6.11
4.6.12
4.6.13
4.6.14
4.7.0-RC1
4.7.0-RC2
4.7.0-RC3
4.7.0-RC4
4.7.0
4.7.1
4.7.2
4.7.3
4.7.4
4.7.5
4.7.6
4.7.7
4.8.0-RC1
4.8.0-RC2
4.8.0
4.8.1
4.8.2
4.8.3
4.8.4
4.8.5
4.8.6
4.8.7
4.8.8
4.9.0-RC1
4.9.0-RC2
4.9.0
4.9.1
4.9.2
4.9.3
4.9.4
4.9.5
4.9.6
4.9.7
4.9.8
4.9.9
4.9.10
4.9.11
4.9.12
4.9.13
4.9.14
4.9.15
4.9.16
4.9.17
4.9.18
4.9.19
4.9.20
4.9.21
4.9.22
4.9.23
4.9.24
4.9.25
4.9.26
4.9.27
4.9.28
4.9.29
4.9.30
4.9.31
4.9.32
4.9.33
4.9.34
4.9.35
4.9.36
4.9.37
4.9.38
4.9.39
4.9.40
4.9.41
4.9.42
4.10.0-RC1
4.10.0-RC2
4.10.0-RC3
4.10.0-RC4
4.10.0
4.10.1
4.10.2
4.10.3
4.10.4
4.10.5
4.10.6
4.10.7
4.11.0-RC1
4.11.0-RC2
4.11.0
4.11.1
4.11.2
4.11.3
4.11.4
4.11.5
4.11.6
4.11.7
4.11.8
4.11.9
4.12.0-RC1
4.12.0-RC2
4.12.0-RC3
4.12.0
4.12.1
4.12.2
4.12.3
4.12.4
4.12.5
4.12.6
4.12.7
4.13.0-RC1
4.13.0-RC2
4.13.0-RC3
4.13.0
4.13.1
4.13.2
4.13.3
4.13.4
4.13.5
4.13.6
4.13.7
4.13.8
4.13.9
4.13.10
4.13.11
4.13.12
4.13.13
4.13.14
4.13.15
4.13.16
4.13.17
4.13.18
4.13.19
4.13.20
4.13.21
4.13.22
4.13.23
4.13.24
4.13.25
4.13.26
4.13.27
4.13.28
4.13.29
4.13.30
4.13.31
4.13.32
4.13.33
4.13.34
4.13.35
4.13.36
4.13.37
4.13.38
4.13.39
4.13.40
4.13.41
4.13.42
4.13.43
4.13.44
4.13.45
4.13.46
4.13.47
4.13.48
4.13.49
4.13.50
4.13.51
4.13.52
4.13.53
Packagist / contao/core-bundle
Package
- Name
- contao/core-bundle
- Purl
- pkg:composer/contao/core-bundle
Packagist / contao/core-bundle
Package
- Name
- contao/core-bundle
- Purl
- pkg:composer/contao/core-bundle