Cross-site Scripting (XSS) in contao/contao

Valid

Reported on

Apr 28th 2022


Proof of Concept

Steps to reproduce:
Naviagate the below URL
URL: https://demo.contao.org/contao/"><svg//onload=alert(112233)>
Here Some Image POC Attached

Trigger

Impact

Attacker can execute Malicious JS in Application :)

We are processing your report and will contact the contao team within 24 hours. a month ago
We have contacted a member of the contao team and are waiting to hear back a month ago
contao/contao maintainer
a month ago

Maintainer


Thank you for reporting this vulnerability!

We will implement a fix and contact you again after a new version was released.

AggressiveUser
a month ago

Researcher


Thanks @maintainer for your good response :)

contao/contao maintainer
a month ago

Maintainer


The following CVE ID was assigned for this issue: CVE-2022-24899

AggressiveUser
a month ago

Researcher


Thanks @maintainer ❤️‍🩹

We have sent a follow up to the contao team. We will try again in 7 days. a month ago
contao/contao maintainer assigned a CVE to this report 23 days ago
contao/contao maintainer validated this vulnerability 23 days ago
AggressiveUser has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
contao/contao maintainer confirmed that a fix has been merged on 199206 23 days ago
The fix bounty has been dropped
contao/contao maintainer
23 days ago

Maintainer


https://github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2

contao/contao maintainer
23 days ago

Maintainer


@aggressiveuser Thank you very much. Please contact association[at]contao.org for a bug bounty.

AggressiveUser
19 days ago

Researcher


Hi @maintainer i send a mail to your that email association[at]contao.org

Jamie Slome
5 days ago

Admin


@maintainer - it looks like two CVEs were requested, both here and via GitHub Security Advisory Database. Was this on purpose and can I support in remediating this for you?

contao/contao maintainer
5 days ago

Maintainer


@jamieslome We already established a workflow for security related issues, that is in line with GitHub's guidelines for coordinated disclosure and has proven to work well for us. This also includes requesting CVEs - please see https://github.com/contao/contao/security/policy.

Deviating from this workflow makes things more complicated for us, therefore we kindly ask for being removed from your platform. Alternatively you can send reporters directly to our security policy. Thank you!

to join this conversation