Main Vulnerability Database Vulnerabilities #VU130131

Cross-site scripting in Contao - CVE-2022-24899

Published: May 5, 2022 / Updated: May 5, 2026

Vulnerability identifier: #VU130131

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2022-24899

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Contao

Software vendor:
Contao

Description

The vulnerability allows a remote attacker to inject malicious script into the web page.

The vulnerability exists due to cross-site scripting in the canonical tag handling in contao/core-bundle when processing a canonical URL. A remote attacker can inject malicious code into the canonical tag to inject malicious script into the web page.

The injected code is executed on the front end.

Remediation

Install security update from vendor's website.

External links

https://github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2
https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url

Cross-site scripting in Contao - CVE-2022-24899

Description

Remediation

External links

Please verify you're human