Contao discloses sensitive information in the front end search index

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Contao is an Open Source CMS. In versions starting from 4.9.14 and prior to 4.13.56, 5.3.38, and 5.6.1, protected content elements that are rendered as fragments are indexed and become publicly available in the front end search. This issue has been patched in versions 4.13.56, 5.3.38, and 5.6.1. A workaround involves disabling the front end search.

Basic Information

ID CVE-2025-57756

Source GitHub_M

Published Aug 28, 2025 at 16:31

Modified Aug 28, 2025 at 17:49

Affected Product

Vendor contao

Product contao

Version >= 4.9.14, < 4.13.56

Affected Versions contao contao >= 4.9.14, < 4.13.56
contao contao >= 5.0.0-RC1, < 5.3.38
contao contao >= 5.4.0-RC1, < 5.6.1

CWE Classification

CWE-200 CWE-612

References

{
    "lastseen": "",
    "description": "Contao is an Open Source CMS. In versions starting from 4.9.14 and prior to 4.13.56, 5.3.38, and 5.6.1, protected content elements that are rendered as fragments are indexed and become publicly available in the front end search. This issue has been patched in versions 4.13.56, 5.3.38, and 5.6.1. A workaround involves disabling the front end search.",
    "published": "2025-08-28T16:31:40.295Z",
    "modified": "2025-08-28T17:49:26.154Z",
    "type": "cve",
    "title": "Contao discloses sensitive information in the front end search index",
    "source": "GitHub_M",
    "references": "https://github.com/contao/contao/security/advisories/GHSA-2xmj-8wmq-7475\nhttps://github.com/contao/contao/commit/a03976c459b6f3985a28f6488b82a76ffb6c0514\nhttps://contao.org/en/security-advisories/information-disclosure-in-the-front-end-search-index",
    "id": "CVE-2025-57756",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200",
        "CWE-612"
    ],
    "cvelist": null,
    "sourceData": "contao contao >= 4.9.14, < 4.13.56\ncontao contao >= 5.0.0-RC1, < 5.3.38\ncontao contao >= 5.4.0-RC1, < 5.6.1",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "contao",
    "version": ">= 4.9.14, < 4.13.56",
    "vendor": "contao",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Contao discloses sensitive information in the front end search index_CVE-2025-57756