4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
0.003 Low
EPSS
Percentile
71.6%
Untrusted users can inject malicious code into the canonical tag, which is then executed on the web page (front end).
Update to Contao 4.13.3.
Disable canonical tags in the root page settings.
https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url
If you have any questions or comments about this advisory, open an issue in contao/contao.
CPE | Name | Operator | Version |
---|---|---|---|
contao/contao | lt | 4.13.3 | |
contao/core-bundle | lt | 4.13.3 |
contao.org/en/security-advisories/cross-site-scripting-via-canonical-url.html
github.com/advisories/GHSA-m8x6-6r63-qvj2
github.com/contao/contao/commit/199206849a87ddd0fa5cf674eb3c58292fd8366c
github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2
github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2022-24899.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2022-24899.yaml
nvd.nist.gov/vuln/detail/CVE-2022-24899
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
0.003 Low
EPSS
Percentile
71.6%