GHSA-2xpq-xp6c-5mgj

Suggest an improvement
Source
https://github.com/advisories/GHSA-2xpq-xp6c-5mgj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-2xpq-xp6c-5mgj/GHSA-2xpq-xp6c-5mgj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2xpq-xp6c-5mgj
Aliases
Published
2024-09-17T14:59:02Z
Modified
2024-09-23T21:49:44.127021Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Contao affected by insert tag injection via canonical URL
Details

Impact

It is possible to inject insert tags in canonical URLs which will be replaced when the page is rendered.

Patches

Update to Contao 4.13.49, 5.3.15 or 5.4.3.

Workarounds

Disable canonical tags in the settings of the website root page.

References

https://contao.org/en/security-advisories/insert-tag-injection-via-canonical-urls

For more information

If you have any questions or comments about this advisory, open an issue in contao/contao.

References

Affected packages

Packagist / contao/core-bundle

Package

Name
contao/core-bundle
Purl
pkg:composer/contao/core-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.13.0
Fixed
4.13.49

Affected versions

4.*

4.13.0
4.13.1
4.13.2
4.13.3
4.13.4
4.13.5
4.13.6
4.13.7
4.13.8
4.13.9
4.13.10
4.13.11
4.13.12
4.13.13
4.13.14
4.13.15
4.13.16
4.13.17
4.13.18
4.13.19
4.13.20
4.13.21
4.13.22
4.13.23
4.13.24
4.13.25
4.13.26
4.13.27
4.13.28
4.13.29
4.13.30
4.13.31
4.13.32
4.13.33
4.13.34
4.13.35
4.13.36
4.13.37
4.13.38
4.13.39
4.13.40
4.13.41
4.13.42
4.13.43
4.13.44
4.13.45
4.13.46
4.13.47
4.13.48

Packagist / contao/core-bundle

Package

Name
contao/core-bundle
Purl
pkg:composer/contao/core-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.3.15

Affected versions

5.*

5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.1.0-RC1
5.1.0-RC2
5.1.0-RC3
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.1.11
5.2.0-RC1
5.2.0-RC2
5.2.0-RC3
5.2.0-RC4
5.2.0-RC5
5.2.0-RC6
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.2.10
5.3.0-RC1
5.3.0-RC2
5.3.0-RC3
5.3.0-RC4
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.13
5.3.14

Packagist / contao/core-bundle

Package

Name
contao/core-bundle
Purl
pkg:composer/contao/core-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.4.0
Fixed
5.4.3

Affected versions

5.*

5.4.0
5.4.1
5.4.2