VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-53kv-tku1-x3fk

Essentials
Severities (27)
References (9)
Severity details (26)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-53kv-tku1-x3fk
Aliases	CVE-2024-28235 GHSA-9jh5-qf84-x6pr
Summary	Contao: Possible cookie sharing with external domains while checking protected pages for broken links If the crawler is set to crawl protected pages, it sends the cookie header to externals URLs.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-200	Exposure of Sensitive Information to an Unauthorized Actor
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00414	https://api.first.org/data/v1/epss?cve=CVE-2024-28235
cvssv3.1	8.3	https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler
cvssv3.1	8.4	https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler
generic_textual	HIGH	https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler
ssvc	Track	https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-9jh5-qf84-x6pr
cvssv3.1	8.3	https://github.com/contao/contao
generic_textual	HIGH	https://github.com/contao/contao
cvssv3.1	8.3	https://github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php#L129
cvssv3.1	8.4	https://github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php#L129
generic_textual	HIGH	https://github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php#L129
ssvc	Track	https://github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php#L129
cvssv3.1	8.3	https://github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16
cvssv3.1	8.4	https://github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16
generic_textual	HIGH	https://github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16
ssvc	Track	https://github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16
cvssv3.1	8.3	https://github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d
cvssv3.1	8.4	https://github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d
generic_textual	HIGH	https://github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d
ssvc	Track	https://github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d
cvssv3.1	8.3	https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr
cvssv3.1	8.4	https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr
cvssv3.1_qr	HIGH	https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr
generic_textual	HIGH	https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr
ssvc	Track	https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr
cvssv3.1	8.3	https://nvd.nist.gov/vuln/detail/CVE-2024-28235
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2024-28235

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2024-28235
		https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler
		https://github.com/contao/contao
		https://github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php#L129
		https://github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16
		https://github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d
CVE-2024-28235		https://nvd.nist.gov/vuln/detail/CVE-2024-28235
GHSA-9jh5-qf84-x6pr		https://github.com/advisories/GHSA-9jh5-qf84-x6pr
GHSA-9jh5-qf84-x6pr		https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-10T19:31:57Z/ Found at https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/contao/contao

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php#L129

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php#L129

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-10T19:31:57Z/ Found at https://github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php#L129

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-10T19:31:57Z/ Found at https://github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-10T19:31:57Z/ Found at https://github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-10T19:31:57Z/ Found at https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-28235

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.61898
EPSS Score	0.00414
Published At	May 30, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-05-30T21:03:47.592473+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2024-28235.yml	38.6.0