Headline
GHSA-m8x6-6r63-qvj2: Cross site scripting via canonical tag in Contao
Impact
Untrusted users can inject malicious code into the canonical tag, which is then executed on the web page (front end).
Patches
Update to Contao 4.13.3.
Workarounds
Disable canonical tags in the root page settings.
References
https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url.html
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2022-24899
Cross site scripting via canonical tag in Contao
High severity GitHub Reviewed Published May 20, 2022 in contao/contao
Package
composer contao/core-bundle (Composer )
Affected versions
>= 4.13.0, < 4.13.3
Description
Severity
CVSS base metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Weaknesses
GHSA ID
GHSA-m8x6-6r63-qvj2
Source code
Improvements are not currently accepted on this advisory because it uses an unsupported versioning operator. Read more and discuss here.