Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-m8x6-6r63-qvj2: Cross site scripting via canonical tag in Contao

Impact

Untrusted users can inject malicious code into the canonical tag, which is then executed on the web page (front end).

Patches

Update to Contao 4.13.3.

Workarounds

Disable canonical tags in the root page settings.

References

https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url.html

For more information

If you have any questions or comments about this advisory, open an issue in contao/contao.

ghsa
Open in Source
#xss#web#git
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2022-24899

Cross site scripting via canonical tag in Contao

High severity GitHub Reviewed Published May 20, 2022 in contao/contao

Package

composer contao/core-bundle (Composer )

Affected versions

>= 4.13.0, < 4.13.3

Description

Severity

CVSS base metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Weaknesses

GHSA ID

GHSA-m8x6-6r63-qvj2

Source code

Improvements are not currently accepted on this advisory because it uses an unsupported versioning operator. Read more and discuss here.

ghsa: Latest News

GHSA-7p9f-6x8j-gxxp: CRI-O: Maliciously structured checkpoint file can gain arbitrary node access
ghsa