{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-45612", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-02T16:00:02.425Z", "datePublished": "2024-09-17T18:29:27.210Z", "dateUpdated": "2024-09-18T14:09:48.584Z"}, "containers": {"cna": {"title": "Insert tag injection via canonical URL in Contao", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/contao/contao/security/advisories/GHSA-2xpq-xp6c-5mgj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/contao/contao/security/advisories/GHSA-2xpq-xp6c-5mgj"}, {"name": "https://contao.org/en/security-advisories/insert-tag-injection-via-canonical-urls", "tags": ["x_refsource_MISC"], "url": "https://contao.org/en/security-advisories/insert-tag-injection-via-canonical-urls"}], "affected": [{"vendor": "contao", "product": "contao", "versions": [{"version": ">= 4.13.0, < 4.13.49", "status": "affected"}, {"version": ">= 5.0.0, < 5.3.15", "status": "affected"}, {"version": ">= 5.4.0, < 5.4.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-17T18:29:27.210Z"}, "descriptions": [{"lang": "en", "value": "Contao is an Open Source CMS. In affected versions an untrusted user can inject insert tags into the canonical tag, which are then replaced on the web page (front end). Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to upgrade should disable canonical tags in the root page settings."}], "source": {"advisory": "GHSA-2xpq-xp6c-5mgj", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "contao", "product": "contao", "cpes": ["cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "4.13.0", "status": "affected", "lessThan": "4.13.49", "versionType": "custom"}, {"version": "5.0.0", "status": "affected", "lessThan": "5.3.15", "versionType": "custom"}, {"version": "5.4.0", "status": "affected", "lessThan": "5.4.3", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-18T14:06:58.302616Z", "id": "CVE-2024-45612", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T14:09:48.584Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-45612", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-18T14:06:58.302616Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*"], "vendor": "contao", "product": "contao", "versions": [{"status": "affected", "version": "4.13.0", "lessThan": "4.13.49", "versionType": "custom"}, {"status": "affected", "version": "5.0.0", "lessThan": "5.3.15", "versionType": "custom"}, {"status": "affected", "version": "5.4.0", "lessThan": "5.4.3", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T14:09:42.712Z"}}], "cna": {"title": "Insert tag injection via canonical URL in Contao", "source": {"advisory": "GHSA-2xpq-xp6c-5mgj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "contao", "product": "contao", "versions": [{"status": "affected", "version": ">= 4.13.0, < 4.13.49"}, {"status": "affected", "version": ">= 5.0.0, < 5.3.15"}, {"status": "affected", "version": ">= 5.4.0, < 5.4.3"}]}], "references": [{"url": "https://github.com/contao/contao/security/advisories/GHSA-2xpq-xp6c-5mgj", "name": "https://github.com/contao/contao/security/advisories/GHSA-2xpq-xp6c-5mgj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://contao.org/en/security-advisories/insert-tag-injection-via-canonical-urls", "name": "https://contao.org/en/security-advisories/insert-tag-injection-via-canonical-urls", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Contao is an Open Source CMS. In affected versions an untrusted user can inject insert tags into the canonical tag, which are then replaced on the web page (front end). Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to upgrade should disable canonical tags in the root page settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-17T18:29:27.210Z"}}}, "cveMetadata": {"cveId": "CVE-2024-45612", "state": "PUBLISHED", "dateUpdated": "2024-09-18T14:09:48.584Z", "dateReserved": "2024-09-02T16:00:02.425Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-09-17T18:29:27.210Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*", "matchCriteriaId": "654C764D-CA76-404D-8D37-FCD94B38C980", "versionEndExcluding": "4.13.49", "versionStartIncluding": "4.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*", "matchCriteriaId": "81742BA9-7293-4F0A-87B6-AEB4618143E6", "versionEndExcluding": "5.3.15", "versionStartIncluding": "5.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:contao:contao:*:*:*:*:*:*:*:*", "matchCriteriaId": "BB66A97A-A8FA-4D3A-8E93-6692772217AC", "versionEndExcluding": "5.4.3", "versionStartIncluding": "5.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Contao is an Open Source CMS. In affected versions an untrusted user can inject insert tags into the canonical tag, which are then replaced on the web page (front end). Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to upgrade should disable canonical tags in the root page settings."}, {"lang": "es", "value": "Contao es un CMS de c\u00f3digo abierto. En las versiones afectadas, un usuario no confiable puede insertar etiquetas de inserci\u00f3n en la etiqueta can\u00f3nica, que luego se reemplazan en la p\u00e1gina web (interfaz). Se recomienda a los usuarios que actualicen a Contao 4.13.49, 5.3.15 o 5.4.3. Los usuarios que no puedan actualizar deben deshabilitar las etiquetas can\u00f3nicas en la configuraci\u00f3n de la p\u00e1gina ra\u00edz."}], "id": "CVE-2024-45612", "lastModified": "2024-09-23T19:33:04.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-09-17T19:15:28.250", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://contao.org/en/security-advisories/insert-tag-injection-via-canonical-urls"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/contao/contao/security/advisories/GHSA-2xpq-xp6c-5mgj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}