Описание
Contao affected by insert tag injection via canonical URL
Impact
It is possible to inject insert tags in canonical URLs which will be replaced when the page is rendered.
Patches
Update to Contao 4.13.49, 5.3.15 or 5.4.3.
Workarounds
Disable canonical tags in the settings of the website root page.
References
https://contao.org/en/security-advisories/insert-tag-injection-via-canonical-urls
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
Ссылки
- https://github.com/contao/contao/security/advisories/GHSA-2xpq-xp6c-5mgj
- https://nvd.nist.gov/vuln/detail/CVE-2024-45612
- https://github.com/contao/contao/commit/1c28e9ac7a7b915134962a59681a8701a44ccbe2
- https://github.com/contao/contao/commit/d105224e14ddc84f27cd8802b553369decdcbe66
- https://github.com/contao/contao/commit/ffe05cda5310dc2bd259d1391197f3849dab8590
- https://contao.org/en/security-advisories/insert-tag-injection-via-canonical-urls
Пакеты
contao/core-bundle
>= 4.13.0, < 4.13.49
4.13.49
contao/core-bundle
>= 5.0.0, < 5.3.15
5.3.15
contao/core-bundle
>= 5.4.0, < 5.4.3
5.4.3
EPSS
6.9 Medium
CVSS4
5.3 Medium
CVSS3
CVE ID
Дефекты
Связанные уязвимости
Contao is an Open Source CMS. In affected versions an untrusted user can inject insert tags into the canonical tag, which are then replaced on the web page (front end). Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to upgrade should disable canonical tags in the root page settings.
EPSS
6.9 Medium
CVSS4
5.3 Medium
CVSS3