Contao Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2011-0508 - Vulnerability Database

Contao

Contao Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2011-0508

Medium

Reference: CVE-2011-0508

NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2011-0508

Title: Contao Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability

Overview:

Cross-site scripting (XSS) vulnerability in system/modules/comments/Comments.php in Contao CMS 2.9.2 and possibly other versions before 2.9.3 allows remote attackers to inject arbitrary web script or HTML via the HTTP X_FORWARDED_FOR header which is stored by system/libraries/Environment.php but not properly handled by a comments action to main.php.