Description
Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called in the back end.
Remediation
References
Related Vulnerabilities
IBM WebSEAL Insertion of Sensitive Information into Log File Vulnerability (CVE-2017-1480)
Dolphin Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2008-3167)
MySQL CVE-2022-21605 Vulnerability (CVE-2022-21605)
WordPress Plugin Gmedia Photo Gallery Multiple Vulnerabilities (1.6.4)