Contao: Possible cookie sharing with external domains while checking protected pages for broken links
Package
Affected versions
>= 4.9.0, < 4.13.40
>= 5.0.0-RC1, < 5.3.4
Patched versions
4.13.40
5.3.4
Description
Published to the GitHub Advisory Database
Apr 9, 2024
Reviewed
Apr 9, 2024
Published by the National Vulnerability Database
Apr 9, 2024
Last updated
Apr 9, 2024
Impact
If the crawler is set to crawl protected pages, it sends the cookie header to externals URLs.
Patches
Update to Contao 4.13.40 or 5.3.4.
Workarounds
Disable crawling protected pages.
References
https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
References