Description Contao 3.x before 3.5.32 allows XSS via the unsubscribe module in the frontend newsletter extension. Remediation References CVE-2018-5478 Related Vulnerabilities WordPress Plugin VendorFuel Local File Overwrite (1.3.1) WordPress 3.7.x Prototype Pollution (3.7 - 3.7.37) Squid Improper Input Validation Vulnerability (CVE-2016-2570) WordPress Plugin Booking.com Product Helper Cross-Site Scripting (1.0.1) PHP Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2016-4342) Severity Medium Classification CVE-2018-5478 CWE-707 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Tags Missing Update Known Vulnerabilities