Primary

Context

Contao SVG Uploads Cross-Site Scripting Vulnerability

Vulnerability

Patched

A cross-site scripting vulnerability has been identified in Contao, an open-source content management system. This issue allows users to upload SVG files containing malicious code, which is then executed either in the back end or front end. The vulnerability affects Contao versions 4.0 through 4.12, as well as 5.0 through 5.3.29 and 5.4, up to 5.5.5.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where uploaded SVG files can execute malicious code in the user's browser or the application's back end.

Remediation

Users can upgrade to Contao versions 4.13.54, 5.3.30, or 5.5.6. As a workaround, remove 'svg' and 'svgz' from the allowed upload file types in the system settings and from 'contao.editable_files' in the 'config.yaml'.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

7.5

exploitability

5.2

remediation

8.3

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

7.5

exploitability

5.2

remediation

8.3

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Contao SVG Uploads Cross-Site Scripting Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Contao

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating