CVE-2024-45965

Published: Oct 2, 2024Modified: Nov 13, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

Contao before 5.5.6 allows XSS via an SVG document. This affects (in contao/core-bundle in Composer) 4.x before 4.13.54, 5.0.x through 5.3.x before 5.3.30, and 5.4.x and 5.5..x before 5.5.6.

Affected (3)

Products: Contao: Contao

Contao

1 product

Contao

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Contao Contao	From 4.0 to 4.13.54
Contao Contao	From 5.0.0 to 5.3.30
Contao Contao	From 5.4.0 to 5.5.6

Related CWEs

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (2)

https://contao.org/en/security-advisories/cross-site-scripting-through-svg-uploads

Source: cve@mitre.org

Vendor Advisory

https://grimthereaperteam.medium.com/contao-5-4-1-malicious-file-upload-xss-in-svg-30edb8820ecb

Source: cve@mitre.org

ExploitThird Party Advisory

Timeline

No history available yet.