Skip to content

Cross site scripting via canonical URL

High
leofeyer published GHSA-m8x6-6r63-qvj2 May 5, 2022

Package

composer contao/core-bundle (Composer)

Affected versions

>= 4.13.0

Patched versions

4.13.3

Description

Impact

Untrusted users can inject malicious code into the canonical tag, which is then executed on the web page (front end).

Patches

Update to Contao 4.13.3.

Workarounds

Disable canonical tags in the root page settings.

References

https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url

For more information

If you have any questions or comments about this advisory, open an issue in contao/contao.

Severity

High
7.2
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CVE ID

CVE-2022-24899

Weaknesses

No CWEs