Home > Vulnerability Database > CVE-2024-45612

Mend.io Vulnerability Database

CVE-2024-45612

Good to know:

Date: September 17, 2024

Contao is an Open Source CMS. In affected versions an untrusted user can inject insert tags into the canonical tag, which are then replaced on the web page (front end). Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to upgrade should disable canonical tags in the root page settings.

Language: PHP

Severity Score

5.3

Related Resources (8)

Url: https://github.com/contao/contao/commit/d105224e14ddc84f27cd8802b553369decdcbe66

Url: https://github.com/contao/contao/commit/ffe05cda5310dc2bd259d1391197f3849dab8590

Url: https://github.com/contao/contao/commit/1c28e9ac7a7b915134962a59681a8701a44ccbe2

Url: https://github.com/contao/contao

Url: https://contao.org/en/security-advisories/insert-tag-injection-via-canonical-urls

Url: https://github.com/contao/contao/security/advisories/GHSA-2xpq-xp6c-5mgj

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-45612

Url: https://www.mend.io/vulnerability-database/CVE-2024-45612

Severity Score

5.3

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Input Validation

CWE-20

Injection

CWE-74

Top Fix

Upgrade Version

Upgrade to version contao/core-bundle - 4.13.49,5.3.15,5.4.3

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-45612

Good to know:

Date: September 17, 2024

Language: PHP

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?