Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-9jh5-qf84-x6pr

GitHub Security Advisory

Contao: Possible cookie sharing with external domains while checking protected pages for broken links

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact

If the crawler is set to crawl protected pages, it sends the cookie header to externals URLs.

### Patches

Update to Contao 4.13.40 or 5.3.4.

### Workarounds

Disable crawling protected pages.

### References

https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler

### For more information

If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).

Affected Packages

Packagist contao/core-bundle
Affected versions: 4.9.0 (fixed in 4.13.40)
Packagist contao/core-bundle
Affected versions: 5.0.0-RC1 (fixed in 5.3.4)

Related CVEs

CVE-2024-28235

Key Information

GHSA ID
GHSA-9jh5-qf84-x6pr
Published
April 9, 2024 3:50 PM
Last Modified
April 9, 2024 9:00 PM
CVSS Score
7.5 /10
Primary Ecosystem
Packagist
Primary Package
contao/core-bundle
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.