GHSA-2xpq-xp6c-5mgj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2xpq-xp6c-5mgj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-2xpq-xp6c-5mgj/GHSA-2xpq-xp6c-5mgj.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2xpq-xp6c-5mgj
- Aliases
- Published
- 2024-09-17T14:59:02Z
- Modified
- 2024-09-23T21:49:44.127021Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Contao affected by insert tag injection via canonical URL
- Details
-
Impact
It is possible to inject insert tags in canonical URLs which will be replaced when the page is rendered.
Patches
Update to Contao 4.13.49, 5.3.15 or 5.4.3.
Workarounds
Disable canonical tags in the settings of the website root page.
References
https://contao.org/en/security-advisories/insert-tag-injection-via-canonical-urls
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
- Database specific
{ "nvd_published_at": "2024-09-17T19:15:28Z", "cwe_ids": [ "CWE-20", "CWE-74", "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-09-17T14:59:02Z" }- References
-
- https://github.com/contao/contao/security/advisories/GHSA-2xpq-xp6c-5mgj
- https://nvd.nist.gov/vuln/detail/CVE-2024-45612
- https://github.com/contao/contao/commit/1c28e9ac7a7b915134962a59681a8701a44ccbe2
- https://github.com/contao/contao/commit/d105224e14ddc84f27cd8802b553369decdcbe66
- https://github.com/contao/contao/commit/ffe05cda5310dc2bd259d1391197f3849dab8590
- https://contao.org/en/security-advisories/insert-tag-injection-via-canonical-urls
- https://github.com/contao/contao
Affected packages
Packagist / contao/core-bundle
Package
- Name
- contao/core-bundle
- Purl
- pkg:composer/contao/core-bundle
Affected versions
4.*
4.13.0
4.13.1
4.13.2
4.13.3
4.13.4
4.13.5
4.13.6
4.13.7
4.13.8
4.13.9
4.13.10
4.13.11
4.13.12
4.13.13
4.13.14
4.13.15
4.13.16
4.13.17
4.13.18
4.13.19
4.13.20
4.13.21
4.13.22
4.13.23
4.13.24
4.13.25
4.13.26
4.13.27
4.13.28
4.13.29
4.13.30
4.13.31
4.13.32
4.13.33
4.13.34
4.13.35
4.13.36
4.13.37
4.13.38
4.13.39
4.13.40
4.13.41
4.13.42
4.13.43
4.13.44
4.13.45
4.13.46
4.13.47
4.13.48
Packagist / contao/core-bundle
Package
- Name
- contao/core-bundle
- Purl
- pkg:composer/contao/core-bundle
Affected versions
5.*
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.1.0-RC1
5.1.0-RC2
5.1.0-RC3
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.1.11
5.2.0-RC1
5.2.0-RC2
5.2.0-RC3
5.2.0-RC4
5.2.0-RC5
5.2.0-RC6
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.2.10
5.3.0-RC1
5.3.0-RC2
5.3.0-RC3
5.3.0-RC4
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.13
5.3.14
Packagist / contao/core-bundle
Package
- Name
- contao/core-bundle
- Purl
- pkg:composer/contao/core-bundle