GHSA-m8x6-6r63-qvj2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-m8x6-6r63-qvj2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-m8x6-6r63-qvj2/GHSA-m8x6-6r63-qvj2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-m8x6-6r63-qvj2
- Aliases
- Published
- 2022-05-20T19:54:56Z
- Modified
- 2024-04-22T19:16:50.112981Z
- Severity
-
- 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Cross site scripting via canonical tag in Contao
- Details
-
Impact
Untrusted users can inject malicious code into the canonical tag, which is then executed on the web page (front end).
Patches
Update to Contao 4.13.3.
Workarounds
Disable canonical tags in the root page settings.
References
https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
- Database specific
{ "nvd_published_at": "2022-05-06T00:15:00Z", "cwe_ids": [ "CWE-79" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-05-20T19:54:56Z" }- References
-
- https://github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2
- https://nvd.nist.gov/vuln/detail/CVE-2022-24899
- https://github.com/contao/contao/commit/199206849a87ddd0fa5cf674eb3c58292fd8366c
- https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url.html
- https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2022-24899.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2022-24899.yaml
- https://github.com/contao/contao
Affected packages
Packagist / contao/core-bundle
Package
- Name
- contao/core-bundle
- Purl
- pkg:composer/contao/core-bundle
Packagist / contao/contao
Package
- Name
- contao/contao
- Purl
- pkg:composer/contao/contao