Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-gzzh-6ysu-9yey
Vulnerability ID VCID-gzzh-6ysu-9yey
Aliases CVE-2024-28235
GHSA-9jh5-qf84-x6pr
Summary Contao: Possible cookie sharing with external domains while checking protected pages for broken links If the crawler is set to crawl protected pages, it sends the cookie header to externals URLs.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
There are no known severity scores.
Reference id Reference type URL
https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler
https://github.com/contao/contao
https://github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php#L129
https://github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16
https://github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d
CVE-2024-28235 https://nvd.nist.gov/vuln/detail/CVE-2024-28235
GHSA-9jh5-qf84-x6pr https://github.com/advisories/GHSA-9jh5-qf84-x6pr
GHSA-9jh5-qf84-x6pr https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr
No exploits are available.
There are no known vectors.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-02T04:47:32.425293+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/contao/core-bundle/CVE-2024-28235.yml 38.6.0