7.2
CVE-2022-24899
- EPSS 3.72%
- Veröffentlicht 06.05.2022 00:15:07
- Zuletzt bearbeitet 21.11.2024 06:51:21
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginCross site scripting via canonical tag
Contao is a powerful open source CMS that allows you to create professional websites and scalable web applications. In versions of Contao prior to 4.13.3 it is possible to inject code into the canonical tag. As a workaround users may disable canonical tags in the root page settings.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 3.72% | 0.883 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
| security-advisories@github.com | 7.2 | 3.9 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url.html
https://github.com/contao/contao/commit/199206849a87ddd0fa5cf674eb3c58292fd8366c
https://github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2