CVE-2021-35210:Cross-Site Scripting (XSS) Vulnerability in Contao CMS System Log

splash
Back

Description Preview

A Cross-Site Scripting (XSS) vulnerability was discovered in Contao CMS versions 4.5.x through 4.9.x (before 4.9.16) and 4.10.x through 4.11.x (before 4.11.5). This vulnerability allows attackers to inject malicious code into the tl_log table that will be executed in the browser when an administrator views the system log in the back end. This could lead to session hijacking, credential theft, or other malicious actions performed in the context of the authenticated administrator.

Overview

This vulnerability (CVE-2021-35210) affects the system log functionality in Contao CMS. The issue stems from insufficient input validation and output encoding in the system log display mechanism. Attackers can craft special inputs that get stored in the system log database table (tl_log) without proper sanitization. When an administrator later accesses the system log through the back end interface, the injected JavaScript code executes in their browser with their privileges. This is a stored XSS vulnerability that specifically targets administrative users who have access to the system logs, making it particularly dangerous as it can compromise administrative accounts.

Remediation

To remediate this vulnerability, take the following actions:

  1. Update Contao CMS to version 4.9.16 or later (if using the 4.9.x branch) or to version 4.11.5 or later (if using the 4.11.x branch).
  2. If immediate updating is not possible, consider restricting access to the system log functionality to only essential administrative users.
  3. Implement additional web application firewall rules to detect and block potential XSS payloads.
  4. Review system logs for any suspicious entries that might indicate exploitation attempts.
  5. After updating, consider clearing or purging old system logs that might contain malicious payloads.
  6. Ensure that all administrative users are using modern browsers with XSS protection features enabled.

References

  1. Vendor Security Advisory: https://contao.org/en/security-advisories/cross-site-scripting-in-the-system-log-2021.html
  2. GitHub Security Advisory: https://github.com/contao/contao/security/advisories/GHSA-h58v-c6rf-g9f7
  3. Common Weakness Enumeration: CWE-79 (Improper Neutralization of Input During Web Page Generation - 'Cross-site Scripting')
  4. MITRE CVE Entry: CVE-2021-35210

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Accommodation & Food Services
    Accommodation & Food Services
  2. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  3. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  4. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  5. Construction
    Construction
  6. Educational Services
    Educational Services
  7. Finance and Insurance
    Finance and Insurance
  8. Health Care & Social Assistance
    Health Care & Social Assistance
  9. Information
    Information
  10. Management of Companies & Enterprises
    Management of Companies & Enterprises
  11. Manufacturing
    Manufacturing
  12. Mining
    Mining
  13. Other Services (except Public Administration)
    Other Services (except Public Administration)
  14. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  15. Public Administration
    Public Administration
  16. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  17. Retail Trade
    Retail Trade
  18. Transportation & Warehousing
    Transportation & Warehousing
  19. Utilities
    Utilities
  20. Wholesale Trade
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background