CVE-2022-24899

Contao is a powerful open source CMS that allows you to create professional websites and scalable web applications. In versions of Contao prior to 4.13.3 it is possible to inject code into the canonical tag. As a workaround users may disable canonical tags in the root page settings.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
GitHub_MCNA
7.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 97%
VendorProductVersion
contaocontao
4.13.0 ≤
𝑥
≤ 4.13.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url.html
https://github.com/contao/contao/commit/199206849a87ddd0fa5cf674eb3c58292fd8366c
https://github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2
https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url.html
https://github.com/contao/contao/commit/199206849a87ddd0fa5cf674eb3c58292fd8366c
https://github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2