VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-bmmc-gmwu-a7dx

Essentials
Severities (27)
References (10)
Severity details (26)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-bmmc-gmwu-a7dx
Aliases	CVE-2023-36806 GHSA-4gpr-p634-922x
Summary	Cross site scripting via input unit widget Authenticated users can inject malicious code in widgets with units, which is then executed both in the element preview (back end) and on the website (front end).
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00384	https://api.first.org/data/v1/epss?cve=CVE-2023-36806
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-4gpr-p634-922x
cvssv3.1	6.6	https://github.com/contao/contao
generic_textual	MODERATE	https://github.com/contao/contao
cvssv3.1	6.5	https://github.com/contao/contao/commit/5c9aff32cfc1f7dc452a045862ac2f86a6b9b4b4
cvssv3.1	6.6	https://github.com/contao/contao/commit/5c9aff32cfc1f7dc452a045862ac2f86a6b9b4b4
generic_textual	MODERATE	https://github.com/contao/contao/commit/5c9aff32cfc1f7dc452a045862ac2f86a6b9b4b4
ssvc	Track	https://github.com/contao/contao/commit/5c9aff32cfc1f7dc452a045862ac2f86a6b9b4b4
cvssv3.1	6.5	https://github.com/contao/contao/commit/c98585d36baa25fda69c062421e7e7eadc53c82b
cvssv3.1	6.6	https://github.com/contao/contao/commit/c98585d36baa25fda69c062421e7e7eadc53c82b
generic_textual	MODERATE	https://github.com/contao/contao/commit/c98585d36baa25fda69c062421e7e7eadc53c82b
ssvc	Track	https://github.com/contao/contao/commit/c98585d36baa25fda69c062421e7e7eadc53c82b
cvssv3.1	6.5	https://github.com/contao/contao/commit/ccb64c777eb0f9c0e6490c9135d80e915d37cd32
cvssv3.1	6.6	https://github.com/contao/contao/commit/ccb64c777eb0f9c0e6490c9135d80e915d37cd32
generic_textual	MODERATE	https://github.com/contao/contao/commit/ccb64c777eb0f9c0e6490c9135d80e915d37cd32
ssvc	Track	https://github.com/contao/contao/commit/ccb64c777eb0f9c0e6490c9135d80e915d37cd32
cvssv3.1	6.5	https://github.com/contao/contao/security/advisories/GHSA-4gpr-p634-922x
cvssv3.1	6.6	https://github.com/contao/contao/security/advisories/GHSA-4gpr-p634-922x
cvssv3.1_qr	MODERATE	https://github.com/contao/contao/security/advisories/GHSA-4gpr-p634-922x
generic_textual	MODERATE	https://github.com/contao/contao/security/advisories/GHSA-4gpr-p634-922x
ssvc	Track	https://github.com/contao/contao/security/advisories/GHSA-4gpr-p634-922x
cvssv3.1	6.6	https://herolab.usd.de/security-advisories/usd-2023-0020
generic_textual	MODERATE	https://herolab.usd.de/security-advisories/usd-2023-0020
cvssv3.1	6.5	https://herolab.usd.de/security-advisories/usd-2023-0020/
ssvc	Track	https://herolab.usd.de/security-advisories/usd-2023-0020/
cvssv3.1	6.6	https://nvd.nist.gov/vuln/detail/CVE-2023-36806
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2023-36806

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2023-36806
		https://github.com/contao/contao
		https://github.com/contao/contao/commit/5c9aff32cfc1f7dc452a045862ac2f86a6b9b4b4
		https://github.com/contao/contao/commit/c98585d36baa25fda69c062421e7e7eadc53c82b
		https://github.com/contao/contao/commit/ccb64c777eb0f9c0e6490c9135d80e915d37cd32
		https://herolab.usd.de/security-advisories/usd-2023-0020
CVE-2023-36806		https://nvd.nist.gov/vuln/detail/CVE-2023-36806
GHSA-4gpr-p634-922x		https://github.com/advisories/GHSA-4gpr-p634-922x
GHSA-4gpr-p634-922x		https://github.com/contao/contao/security/advisories/GHSA-4gpr-p634-922x
usd-2023-0020		https://herolab.usd.de/security-advisories/usd-2023-0020/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L Found at https://github.com/contao/contao

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L Found at https://github.com/contao/contao/commit/5c9aff32cfc1f7dc452a045862ac2f86a6b9b4b4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L Found at https://github.com/contao/contao/commit/5c9aff32cfc1f7dc452a045862ac2f86a6b9b4b4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-23T18:55:31Z/ Found at https://github.com/contao/contao/commit/5c9aff32cfc1f7dc452a045862ac2f86a6b9b4b4

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L Found at https://github.com/contao/contao/commit/c98585d36baa25fda69c062421e7e7eadc53c82b

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L Found at https://github.com/contao/contao/commit/c98585d36baa25fda69c062421e7e7eadc53c82b

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-23T18:55:31Z/ Found at https://github.com/contao/contao/commit/c98585d36baa25fda69c062421e7e7eadc53c82b

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L Found at https://github.com/contao/contao/commit/ccb64c777eb0f9c0e6490c9135d80e915d37cd32

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L Found at https://github.com/contao/contao/commit/ccb64c777eb0f9c0e6490c9135d80e915d37cd32

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-23T18:55:31Z/ Found at https://github.com/contao/contao/commit/ccb64c777eb0f9c0e6490c9135d80e915d37cd32

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L Found at https://github.com/contao/contao/security/advisories/GHSA-4gpr-p634-922x

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L Found at https://github.com/contao/contao/security/advisories/GHSA-4gpr-p634-922x

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-23T18:55:31Z/ Found at https://github.com/contao/contao/security/advisories/GHSA-4gpr-p634-922x

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L Found at https://herolab.usd.de/security-advisories/usd-2023-0020

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L Found at https://herolab.usd.de/security-advisories/usd-2023-0020/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-23T18:55:31Z/ Found at https://herolab.usd.de/security-advisories/usd-2023-0020/

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2023-36806

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.59932
EPSS Score	0.00384
Published At	May 30, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-05-30T21:01:24.631490+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2023-36806.yml	38.6.0