CVE-2023-36806: Cross site scripting via input unit widget
(updated )
Authenticated users can inject malicious code in widgets with units, which is then executed both in the element preview (back end) and on the website (front end).
References
- github.com/advisories/GHSA-4gpr-p634-922x
- github.com/contao/contao
- github.com/contao/contao/commit/5c9aff32cfc1f7dc452a045862ac2f86a6b9b4b4
- github.com/contao/contao/commit/c98585d36baa25fda69c062421e7e7eadc53c82b
- github.com/contao/contao/commit/ccb64c777eb0f9c0e6490c9135d80e915d37cd32
- github.com/contao/contao/security/advisories/GHSA-4gpr-p634-922x
- herolab.usd.de/security-advisories/usd-2023-0020
- nvd.nist.gov/vuln/detail/CVE-2023-36806
Code Behaviors & Features
Detect and mitigate CVE-2023-36806 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →