VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-sng8-95gj-t7bh

Essentials
Severities (28)
References (9)
Severity details (26)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-sng8-95gj-t7bh
Aliases	CVE-2024-28235 GHSA-9jh5-qf84-x6pr
Summary	Contao is an open source content management system. Starting in version 4.9.0 and prior to versions 4.13.40 and 5.3.4, when checking for broken links on protected pages, Contao sends the cookie header to external urls as well, the passed options for the http client are used for all requests. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, disable crawling protected pages.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-200	Exposure of Sensitive Information to an Unauthorized Actor
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00414	https://api.first.org/data/v1/epss?cve=CVE-2024-28235
epss	0.00414	https://api.first.org/data/v1/epss?cve=CVE-2024-28235
cvssv3.1	8.3	https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler
cvssv3.1	8.4	https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler
generic_textual	HIGH	https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler
ssvc	Track	https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-9jh5-qf84-x6pr
cvssv3.1	8.3	https://github.com/contao/contao
generic_textual	HIGH	https://github.com/contao/contao
cvssv3.1	8.3	https://github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php#L129
cvssv3.1	8.4	https://github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php#L129
generic_textual	HIGH	https://github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php#L129
ssvc	Track	https://github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php#L129
cvssv3.1	8.3	https://github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16
cvssv3.1	8.4	https://github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16
generic_textual	HIGH	https://github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16
ssvc	Track	https://github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16
cvssv3.1	8.3	https://github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d
cvssv3.1	8.4	https://github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d
generic_textual	HIGH	https://github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d
ssvc	Track	https://github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d
cvssv3.1	8.3	https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr
cvssv3.1	8.4	https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr
cvssv3.1_qr	HIGH	https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr
generic_textual	HIGH	https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr
ssvc	Track	https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr
cvssv3.1	8.3	https://nvd.nist.gov/vuln/detail/CVE-2024-28235
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2024-28235

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2024-28235
		https://github.com/contao/contao
73a2770e2d3535ec9f1b03d54be00e56ebb8ff16		https://github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16
79b7620d01ce8f46ce2b331455e0d95e5208de3d		https://github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d
Crawl.php#L129		https://github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php#L129
CVE-2024-28235		https://nvd.nist.gov/vuln/detail/CVE-2024-28235
GHSA-9jh5-qf84-x6pr		https://github.com/advisories/GHSA-9jh5-qf84-x6pr
GHSA-9jh5-qf84-x6pr		https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr
session-cookie-disclosure-in-the-crawler		https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-10T19:31:57Z/ Found at https://contao.org/en/security-advisories/session-cookie-disclosure-in-the-crawler

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/contao/contao

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php#L129

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php#L129

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-10T19:31:57Z/ Found at https://github.com/contao/contao/blob/14e9ef4bc8b82936ba2d0e04164581145a075e2a/core-bundle/src/Resources/contao/classes/Crawl.php#L129

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-10T19:31:57Z/ Found at https://github.com/contao/contao/commit/73a2770e2d3535ec9f1b03d54be00e56ebb8ff16

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-10T19:31:57Z/ Found at https://github.com/contao/contao/commit/79b7620d01ce8f46ce2b331455e0d95e5208de3d

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-10T19:31:57Z/ Found at https://github.com/contao/contao/security/advisories/GHSA-9jh5-qf84-x6pr

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-28235

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.62052
EPSS Score	0.00414
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-10T18:32:04.626504+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2024/28xxx/CVE-2024-28235.json	38.6.0