Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1tOHg2LTZyNjMtcXZqMs4AAgbl

Cross site scripting via canonical tag in Contao

Impact

Untrusted users can inject malicious code into the canonical tag, which is then executed on the web page (front end).

Patches

Update to Contao 4.13.3.

Workarounds

Disable canonical tags in the root page settings.

References

https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url

For more information

If you have any questions or comments about this advisory, open an issue in contao/contao.

Permalink: https://github.com/advisories/GHSA-m8x6-6r63-qvj2
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tOHg2LTZyNjMtcXZqMs4AAgbl
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 8 months ago

CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

EPSS Percentage: 0.00648
EPSS Percentile: 0.79201

Identifiers: GHSA-m8x6-6r63-qvj2, CVE-2022-24899
References:

Repository: https://github.com/contao/contao
Blast Radius: 23.7

Affected Packages

packagist:contao/contao

Dependent packages: 8
Dependent repositories: 7
Downloads: 13,519 total
Affected Version Ranges: >= 4.13.0, < 4.13.3
Fixed in: 4.13.3
All affected versions: 4.13.0, 4.13.1, 4.13.2
All unaffected versions: 4.4.22, 4.4.23, 4.4.24, 4.4.25, 4.4.26, 4.4.27, 4.4.28, 4.4.29, 4.4.30, 4.4.31, 4.4.32, 4.4.33, 4.4.34, 4.4.35, 4.4.36, 4.4.37, 4.4.38, 4.4.39, 4.4.40, 4.4.41, 4.4.42, 4.4.43, 4.4.44, 4.4.45, 4.4.46, 4.4.47, 4.4.48, 4.4.49, 4.4.50, 4.4.51, 4.4.52, 4.4.53, 4.4.54, 4.4.55, 4.4.56, 4.4.57, 4.5.13, 4.5.14, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.6.4, 4.6.5, 4.6.6, 4.6.7, 4.6.8, 4.6.9, 4.6.10, 4.6.11, 4.6.12, 4.6.13, 4.6.14, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 4.7.7, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4, 4.8.5, 4.8.6, 4.8.7, 4.8.8, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.9.7, 4.9.8, 4.9.9, 4.9.10, 4.9.11, 4.9.12, 4.9.13, 4.9.14, 4.9.15, 4.9.16, 4.9.17, 4.9.18, 4.9.19, 4.9.20, 4.9.21, 4.9.22, 4.9.23, 4.9.24, 4.9.25, 4.9.26, 4.9.27, 4.9.28, 4.9.29, 4.9.30, 4.9.31, 4.9.32, 4.9.33, 4.9.34, 4.9.35, 4.9.36, 4.9.37, 4.9.38, 4.9.39, 4.9.40, 4.9.41, 4.9.42, 4.10.0, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.5, 4.10.6, 4.10.7, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.11.7, 4.11.8, 4.11.9, 4.12.0, 4.12.1, 4.12.2, 4.12.3, 4.12.4, 4.12.5, 4.12.6, 4.12.7, 4.13.3, 4.13.4, 4.13.5, 4.13.6, 4.13.7, 4.13.8, 4.13.9, 4.13.10, 4.13.11, 4.13.12, 4.13.13, 4.13.14, 4.13.15, 4.13.16, 4.13.17, 4.13.18, 4.13.19, 4.13.20, 4.13.21, 4.13.22, 4.13.23, 4.13.24, 4.13.25, 4.13.26, 4.13.27, 4.13.28, 4.13.29, 4.13.30, 4.13.31, 4.13.32, 4.13.33, 4.13.34, 4.13.35, 4.13.36, 4.13.37, 4.13.38, 4.13.39, 4.13.40, 4.13.41, 4.13.42, 4.13.43, 4.13.44, 4.13.45, 4.13.46, 4.13.47, 4.13.48, 4.13.49, 4.13.50, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1.10, 5.1.11, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9, 5.2.10, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.3.7, 5.3.8, 5.3.9, 5.3.10, 5.3.11, 5.3.12, 5.3.13, 5.3.14, 5.3.15, 5.3.16, 5.3.17, 5.3.18, 5.3.19, 5.3.20, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.4.6, 5.4.7, 5.4.8

packagist:contao/core-bundle

Dependent packages: 1,961
Dependent repositories: 1,932
Downloads: 1,270,424 total
Affected Version Ranges: >= 4.13.0, < 4.13.3
Fixed in: 4.13.3
All affected versions: 4.13.0, 4.13.1, 4.13.2
All unaffected versions: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9, 4.3.10, 4.3.11, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.4.11, 4.4.12, 4.4.13, 4.4.14, 4.4.15, 4.4.16, 4.4.17, 4.4.18, 4.4.19, 4.4.20, 4.4.21, 4.4.22, 4.4.23, 4.4.24, 4.4.25, 4.4.26, 4.4.27, 4.4.28, 4.4.29, 4.4.30, 4.4.31, 4.4.32, 4.4.33, 4.4.34, 4.4.35, 4.4.36, 4.4.37, 4.4.38, 4.4.39, 4.4.40, 4.4.41, 4.4.42, 4.4.43, 4.4.44, 4.4.45, 4.4.46, 4.4.47, 4.4.48, 4.4.49, 4.4.50, 4.4.51, 4.4.52, 4.4.53, 4.4.54, 4.4.55, 4.4.56, 4.4.57, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.5.6, 4.5.7, 4.5.8, 4.5.9, 4.5.10, 4.5.11, 4.5.12, 4.5.13, 4.5.14, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.6.4, 4.6.5, 4.6.6, 4.6.7, 4.6.8, 4.6.9, 4.6.10, 4.6.11, 4.6.12, 4.6.13, 4.6.14, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 4.7.7, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4, 4.8.5, 4.8.6, 4.8.7, 4.8.8, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.9.7, 4.9.8, 4.9.9, 4.9.10, 4.9.11, 4.9.12, 4.9.13, 4.9.14, 4.9.15, 4.9.16, 4.9.17, 4.9.18, 4.9.19, 4.9.20, 4.9.21, 4.9.22, 4.9.23, 4.9.24, 4.9.25, 4.9.26, 4.9.27, 4.9.28, 4.9.29, 4.9.30, 4.9.31, 4.9.32, 4.9.33, 4.9.34, 4.9.35, 4.9.36, 4.9.37, 4.9.38, 4.9.39, 4.9.40, 4.9.41, 4.9.42, 4.10.0, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.5, 4.10.6, 4.10.7, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.11.7, 4.11.8, 4.11.9, 4.12.0, 4.12.1, 4.12.2, 4.12.3, 4.12.4, 4.12.5, 4.12.6, 4.12.7, 4.13.3, 4.13.4, 4.13.5, 4.13.6, 4.13.7, 4.13.8, 4.13.9, 4.13.10, 4.13.11, 4.13.12, 4.13.13, 4.13.14, 4.13.15, 4.13.16, 4.13.17, 4.13.18, 4.13.19, 4.13.20, 4.13.21, 4.13.22, 4.13.23, 4.13.24, 4.13.25, 4.13.26, 4.13.27, 4.13.28, 4.13.29, 4.13.30, 4.13.31, 4.13.32, 4.13.33, 4.13.34, 4.13.35, 4.13.36, 4.13.37, 4.13.38, 4.13.39, 4.13.40, 4.13.41, 4.13.42, 4.13.43, 4.13.44, 4.13.45, 4.13.46, 4.13.47, 4.13.48, 4.13.49, 4.13.50, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1.10, 5.1.11, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9, 5.2.10, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.3.7, 5.3.8, 5.3.9, 5.3.10, 5.3.11, 5.3.12, 5.3.13, 5.3.14, 5.3.15, 5.3.16, 5.3.17, 5.3.18, 5.3.19, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.4.6, 5.4.7