Description

Cross-site scripting (XSS) vulnerability in system/modules/comments/Comments.php in Contao CMS 2.9.2, and possibly other versions before 2.9.3, allows remote attackers to inject arbitrary web script or HTML via the HTTP X_FORWARDED_FOR header, which is stored by system/libraries/Environment.php but not properly handled by a comments action to main.php.

Remediation

References

CVE-2011-0508

Related Vulnerabilities

WordPress Plugin Encrypted Contact Form Multiple Vulnerabilities (1.0.4)

Oracle Application Server CVE-2006-0283 Vulnerability (CVE-2006-0283)

WordPress Plugin Redirection 'id' Parameter Cross-Site Scripting (2.2.8)

Oracle Database Server CVE-2008-0346 Vulnerability (CVE-2008-0346)

Zikula Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2013-6168)

Severity

Medium

Classification

CVE-2011-0508 CWE-707

Tags

Missing Update Known Vulnerabilities