CVE-2025-57756

Contao is an Open Source CMS. In versions starting from 4.9.14 and prior to 4.13.56, 5.3.38, and 5.6.1, protected content elements that are rendered as fragments are indexed and become publicly available in the front end search. This issue has been patched in versions 4.13.56, 5.3.38, and 5.6.1. A workaround involves disabling the front end search.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://contao.org/en/security-advisories/information-disclosure-in-the-front-end-search-index	Vendor Advisory
https://github.com/contao/contao/commit/a03976c459b6f3985a28f6488b82a76ffb6c0514	Patch
https://github.com/contao/contao/security/advisories/GHSA-2xmj-8wmq-7475	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:contao:contao::::::::
	cpe:2.3:a:contao:contao::::::::
	cpe:2.3:a:contao:contao::::::::
	cpe:2.3:a:contao:contao::::::::

History

No history.

Information

Published : 2025-08-28 17:15

Updated : 2025-09-02 17:39

NVD link : CVE-2025-57756

Mitre link : CVE-2025-57756

CVE.ORG link : CVE-2025-57756

JSON object : View

Products Affected

contao

contao

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-612

Improper Authorization of Index Containing Sensitive Information

{"id": "CVE-2025-57756", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2025-08-28T17:15:36.023", "references": [{"url": "https://contao.org/en/security-advisories/information-disclosure-in-the-front-end-search-index", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://github.com/contao/contao/commit/a03976c459b6f3985a28f6488b82a76ffb6c0514", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/contao/contao/security/advisories/GHSA-2xmj-8wmq-7475", "tags": ["Patch", "Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-612"}]}], "descriptions": [{"lang": "en", "value": "Contao is an Open Source CMS. In versions starting from 4.9.14 and prior to 4.13.56, 5.3.38, and 5.6.1, protected content elements that are rendered as fragments are indexed and become publicly available in the front end search. This issue has been patched in versions 4.13.56, 5.3.38, and 5.6.1. A workaround involves disabling the front end search."}], "lastModified": "2025-09-02T17:39:29.950", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DEA37692-4A35-4C0E-95C5-ABE4B9142441", "versionEndIncluding": "4.9.14", "versionStartIncluding": "4.9.0"}, {"criteria": "cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "82752B8E-B939-4ADA-A7E5-595890EBA810", "versionEndExcluding": "4.13.56", "versionStartIncluding": "4.10.0"}, {"criteria": "cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CD3F6788-0473-4C0E-8602-2B66A518B9D5", "versionEndExcluding": "5.3.38", "versionStartIncluding": "5.0.0"}, {"criteria": "cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AC84DCCC-B7C2-43DB-AFFA-F3464B640F78", "versionEndExcluding": "5.6.1", "versionStartIncluding": "5.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}