Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-24899Cross-site Scripting in Contao

CWE-79Cross-site Scripting5 documents5 sources
Severity
6.1MEDIUMNVD
CNA7.2
EPSS
44.0%
top 2.45%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
ContaoContao Core-bundle
Timeline
PublishedMay 6
Latest updateMay 20

Description

Contao is a powerful open source CMS that allows you to create professional websites and scalable web applications. In versions of Contao prior to 4.13.3 it is possible to inject code into the canonical tag. As a workaround users may disable canonical tags in the root page settings.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

CVEListV5contao/contao< 4.13.3
Packagistcontao/contao4.13.04.13.3
Packagistcontao/core-bundle4.13.04.13.3
NVDcontao/contao4.13.04.13.2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
Cross site scripting via canonical tag in Contao2022-05-20
OSV
Cross site scripting via canonical tag in Contao2022-05-20
CVEList
Cross site scripting via canonical tag2022-05-05

💥Exploits & PoCs

1
Nuclei
Contao <4.13.3 - Cross-Site Scripting
CVE-2022-24899 — Cross-site Scripting in Contao | cvebase