CVE-2022-24899

HIGH NUCLEI

Contao < 4.13.2 - XSS

Title source: rule

Description

Contao is a powerful open source CMS that allows you to create professional websites and scalable web applications. In versions of Contao prior to 4.13.3 it is possible to inject code into the canonical tag. As a workaround users may disable canonical tags in the root page settings.

Nuclei Templates (1)

Contao <4.13.3 - Cross-Site Scripting

MEDIUMby ritikchaddha

Shodan: title:"Contao" || http.title:"contao" || http.html:"contao open source cms" || cpe:"cpe:2.3:a:contao:contao"

FOFA: body="contao open source cms" || title="contao"

References (3)

[Patch, Third Party Advisory] https://github.com/contao/contao/commit/199206849a87ddd0fa5cf674eb3c58292fd8366c

View Patch ZIP pw:eip

[Third Party Advisory] https://github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2

[Vendor Advisory] https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url.html

Scores

CVSS v3 7.2

EPSS 0.4402

EPSS Percentile 97.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (3)

contao/contao 4.13.0 - 4.13.2

contao/contao 4.13.0 - 4.13.3Packagist

contao/core-bundle 4.13.0 - 4.13.3Packagist

Published May 06, 2022

Tracked Since Feb 18, 2026