cve-2024-45612
Vulnerability from cvelistv5
Published
2024-09-17 18:29
Modified
2024-09-18 14:09
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Insert tag injection via canonical URL in Contao
References
security-advisories@github.comhttps://contao.org/en/security-advisories/insert-tag-injection-via-canonical-urlsVendor Advisory
security-advisories@github.comhttps://github.com/contao/contao/security/advisories/GHSA-2xpq-xp6c-5mgjVendor Advisory
Impacted products
contaocontao
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "contao",
            "vendor": "contao",
            "versions": [
              {
                "lessThan": "4.13.49",
                "status": "affected",
                "version": "4.13.0",
                "versionType": "custom"
              },
              {
                "lessThan": "5.3.15",
                "status": "affected",
                "version": "5.0.0",
                "versionType": "custom"
              },
              {
                "lessThan": "5.4.3",
                "status": "affected",
                "version": "5.4.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45612",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-18T14:06:58.302616Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-18T14:09:48.584Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "contao",
          "vendor": "contao",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.13.0, \u003c 4.13.49"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 5.3.15"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.4.0, \u003c 5.4.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Contao is an Open Source CMS. In affected versions an untrusted user can inject insert tags into the canonical tag, which are then replaced on the web page (front end). Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to upgrade should disable canonical tags in the root page settings."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-17T18:29:27.210Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/contao/contao/security/advisories/GHSA-2xpq-xp6c-5mgj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/contao/contao/security/advisories/GHSA-2xpq-xp6c-5mgj"
        },
        {
          "name": "https://contao.org/en/security-advisories/insert-tag-injection-via-canonical-urls",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://contao.org/en/security-advisories/insert-tag-injection-via-canonical-urls"
        }
      ],
      "source": {
        "advisory": "GHSA-2xpq-xp6c-5mgj",
        "discovery": "UNKNOWN"
      },
      "title": "Insert tag injection via canonical URL in Contao"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-45612",
    "datePublished": "2024-09-17T18:29:27.210Z",
    "dateReserved": "2024-09-02T16:00:02.425Z",
    "dateUpdated": "2024-09-18T14:09:48.584Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-45612\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-09-17T19:15:28.250\",\"lastModified\":\"2024-09-23T19:33:04.650\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Contao is an Open Source CMS. In affected versions an untrusted user can inject insert tags into the canonical tag, which are then replaced on the web page (front end). Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to upgrade should disable canonical tags in the root page settings.\"},{\"lang\":\"es\",\"value\":\"Contao es un CMS de c\u00f3digo abierto. En las versiones afectadas, un usuario no confiable puede insertar etiquetas de inserci\u00f3n en la etiqueta can\u00f3nica, que luego se reemplazan en la p\u00e1gina web (interfaz). Se recomienda a los usuarios que actualicen a Contao 4.13.49, 5.3.15 o 5.4.3. Los usuarios que no puedan actualizar deben deshabilitar las etiquetas can\u00f3nicas en la configuraci\u00f3n de la p\u00e1gina ra\u00edz.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-74\"}]},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.13.0\",\"versionEndExcluding\":\"4.13.49\",\"matchCriteriaId\":\"654C764D-CA76-404D-8D37-FCD94B38C980\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.3.0\",\"versionEndExcluding\":\"5.3.15\",\"matchCriteriaId\":\"81742BA9-7293-4F0A-87B6-AEB4618143E6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.4.0\",\"versionEndExcluding\":\"5.4.3\",\"matchCriteriaId\":\"BB66A97A-A8FA-4D3A-8E93-6692772217AC\"}]}]}],\"references\":[{\"url\":\"https://contao.org/en/security-advisories/insert-tag-injection-via-canonical-urls\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/contao/contao/security/advisories/GHSA-2xpq-xp6c-5mgj\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.