CVE-2022-24899

HIGH NUCLEI

Contao 4.13.0-4.13.2 - Cross-Site Scripting via Canonical URL

Title source: llm

Exploitation Summary

CVE-2022-24899 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

Contao is a powerful open source CMS that allows you to create professional websites and scalable web applications. In versions of Contao prior to 4.13.3 it is possible to inject code into the canonical tag. As a workaround users may disable canonical tags in the root page settings.

Nuclei Templates (1)

Contao <4.13.3 - Cross-Site Scripting

MEDIUMby ritikchaddha

Shodan: title:"Contao" || http.title:"contao" || http.html:"contao open source cms" || cpe:"cpe:2.3:a:contao:contao"

FOFA: body="contao open source cms" || title="contao"

References (3)

Core 3

Core References

Patch, Third Party Advisory x_refsource_misc

https://github.com/contao/contao/commit/199206849a87ddd0fa5cf674eb3c58292fd8366c

View Patch ZIP pw:eip

Third Party Advisory x_refsource_confirm

https://github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2

Vendor Advisory x_refsource_misc

https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url.html

Scores

CVSS v3 7.2

EPSS 0.0372

EPSS Percentile 88.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (3)

contao/contao 4.13.0 - 4.13.2

contao/contao 4.13.0 - 4.13.3Packagist

contao/core-bundle 4.13.0 - 4.13.3Packagist

Published May 06, 2022

Tracked Since Feb 18, 2026