CVE-2025-65961
3.3
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Summary
Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves not using the affected templates or patch them manually.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| contao | contao | >= 4.0.0, < 4.13.57 | affected |
| contao | contao | >= 5.0.0-RC1, < 5.3.42 | affected |
| contao | contao | >= 5.4.0-RC1, < 5.6.5 | affected |
Weaknesses
- CWE-87: CWE-87: Improper Neutralization of Alternate XSS Syntax
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/contao/contao/security/advisories/GHSA-68q5-78xp-cwwc
- https://contao.org/en/security-advisories/cross-site-scripting-in-templates
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.