CVE-2024-28235 – Contao CMS versions 4.9.0 through 4.13.39 and 5... (How to Fix)

Q: What is the severity of CVE-2024-28235?

CVE-2024-28235 has a CVSS score of 8.3 (HIGH). Contao CMS versions 4.9.0 through 4.13.39 and 5.0.0 through 5.3.3 inadvertently send session cookies to external URLs when checking for broken links on protected pages. This allows attackers to potentially steal user sessions and impersonate authenticated users. All Contao installations using the crawler feature on protected pages are affected.

📋 TL;DR

Contao CMS versions 4.9.0 through 4.13.39 and 5.0.0 through 5.3.3 inadvertently send session cookies to external URLs when checking for broken links on protected pages. This allows attackers to potentially steal user sessions and impersonate authenticated users. All Contao installations using the crawler feature on protected pages are affected.

💻 Affected Systems

Products:

Contao CMS

Versions: 4.9.0 through 4.13.39, 5.0.0 through 5.3.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations using the crawler feature on password-protected pages.

📦 What is this software?

Contao by Contao

View all CVEs affecting Contao →

Contao by Contao

View all CVEs affecting Contao →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full control over the CMS, and potentially compromise the entire web server.

🟠

Likely Case

Attackers steal user session cookies from protected pages, enabling account takeover and unauthorized access to sensitive content.

🟢

If Mitigated

With proper controls, impact is limited to temporary session exposure with no persistent access after session expiration.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to control or monitor an external URL that receives the cookie header.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.13.40 or 5.3.4

Vendor Advisory: https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler

Restart Required: No

Instructions:

1. Backup your Contao installation and database. 2. Update Contao to version 4.13.40 (for Contao 4) or 5.3.4 (for Contao 5) using Composer: 'composer update contao/core-bundle'. 3. Clear the cache: 'php vendor/bin/contao-console cache:clear'. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable crawling protected pages

all

Prevent the crawler from checking broken links on password-protected pages.

Edit Contao configuration to disable crawling of protected pages or disable the crawler feature entirely.

🧯 If You Can't Patch

Disable the crawler feature completely in Contao settings.
Implement network segmentation to prevent the Contao server from making outbound HTTP requests to untrusted domains.

🔍 How to Verify

Check if Vulnerable:

Check Contao version via admin panel or by examining composer.lock file for contao/core-bundle version.

Check Version:

php vendor/bin/contao-console contao:version

Verify Fix Applied:

Confirm version is 4.13.40 or higher (for Contao 4) or 5.3.4 or higher (for Contao 5).

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from Contao server to external domains with cookie headers in logs.

Network Indicators:

HTTP traffic from Contao server to unexpected external domains containing cookie headers.

SIEM Query:

source="contao_logs" AND (event="crawler_request" AND url="http*://*" AND headers="*cookie:*")

📊 Metadata

CVE ID: CVE-2024-28235

CVSS v3 Score: 8.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-200

Published: April 9, 2024

Last Updated: January 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28235, you might also want to check these: