CVE-2024-45612

Contao is an Open Source CMS. In affected versions an untrusted user can inject insert tags into the canonical tag, which are then replaced on the web page (front end). Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to upgrade should disable canonical tags in the root page settings.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://contao.org/en/security-advisories/insert-tag-injection-via-canonical-urls	Vendor Advisory
https://github.com/contao/contao/security/advisories/GHSA-2xpq-xp6c-5mgj	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:contao:contao::::::::
	cpe:2.3:a:contao:contao::::::::
	cpe:2.3:a:contao:contao::::::::

History

No history.

Information

Published : 2024-09-17 19:15

Updated : 2024-09-23 19:33

NVD link : CVE-2024-45612

Mitre link : CVE-2024-45612

CVE.ORG link : CVE-2024-45612

JSON object : View

Products Affected

contao

contao

CWE

CWE-20

Improper Input Validation

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

{"id": "CVE-2024-45612", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-09-17T19:15:28.250", "references": [{"url": "https://contao.org/en/security-advisories/insert-tag-injection-via-canonical-urls", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/contao/contao/security/advisories/GHSA-2xpq-xp6c-5mgj", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-74"}]}], "descriptions": [{"lang": "en", "value": "Contao is an Open Source CMS. In affected versions an untrusted user can inject insert tags into the canonical tag, which are then replaced on the web page (front end). Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to upgrade should disable canonical tags in the root page settings."}, {"lang": "es", "value": "Contao es un CMS de c\u00f3digo abierto. En las versiones afectadas, un usuario no confiable puede insertar etiquetas de inserci\u00f3n en la etiqueta can\u00f3nica, que luego se reemplazan en la p\u00e1gina web (interfaz). Se recomienda a los usuarios que actualicen a Contao 4.13.49, 5.3.15 o 5.4.3. Los usuarios que no puedan actualizar deben deshabilitar las etiquetas can\u00f3nicas en la configuraci\u00f3n de la p\u00e1gina ra\u00edz."}], "lastModified": "2024-09-23T19:33:04.650", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "654C764D-CA76-404D-8D37-FCD94B38C980", "versionEndExcluding": "4.13.49", "versionStartIncluding": "4.13.0"}, {"criteria": "cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "81742BA9-7293-4F0A-87B6-AEB4618143E6", "versionEndExcluding": "5.3.15", "versionStartIncluding": "5.3.0"}, {"criteria": "cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BB66A97A-A8FA-4D3A-8E93-6692772217AC", "versionEndExcluding": "5.4.3", "versionStartIncluding": "5.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}