by Leo Feyer

Cross-site scripting via canonical URL

Date: 2022-05-05
CVE ID: CVE-2022-24899

Description

Untrusted users can inject malicious code into the canonical tag, which is then executed on the web page (front end).

Affected versions

Contao 4.13 up to 4.13.2

Suggested solution

Update to Contao 4.13.3.

Workaround

Disable canonical tags in the root page settings.

More information

https://github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2