Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Contao Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2025-57757)

Description

Contao is an Open Source CMS. In versions starting from 5.0.0 and prior to 5.3.38 and 5.6.1, if a news feed contains protected news archives, their news items are not filtered and become publicly available in the RSS feed. This issue has been patched in versions 5.3.38 and 5.6.1. A workaround involves not adding protected news archives to the news feed page.

Remediation

References

Related Vulnerabilities

WordPress Plugin Easy Social Icons Cross-Site Scripting (3.1.2)

Moodle Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2024-25978)

Python Other Vulnerability (CVE-2010-3492)

WordPress Plugin Better WordPress Minify Arbitrary File Disclosure (1.2.2)

WordPress Plugin Ocean Extra Cross-Site Request Forgery (1.6.5)

Severity

Medium

Classification

CVE-2025-57757 CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities