Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-m8x6-6r63-qvj2

GitHub Security Advisory

Cross site scripting via canonical tag in Contao

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact

Untrusted users can inject malicious code into the canonical tag, which is then executed on the web page (front end).

### Patches

Update to Contao 4.13.3.

### Workarounds

Disable canonical tags in the root page settings.

### References

https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url

### For more information

If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).

Affected Packages

Packagist contao/core-bundle
Affected versions: 4.13.0 (fixed in 4.13.3)
Packagist contao/contao
Affected versions: 4.13.0 (fixed in 4.13.3)

Related CVEs

CVE-2022-24899

Key Information

GHSA ID
GHSA-m8x6-6r63-qvj2
Published
May 20, 2022 7:54 PM
Last Modified
April 17, 2025 12:44 PM
CVSS Score
7.5 /10
Primary Ecosystem
Packagist
Primary Package
contao/core-bundle
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.