Cross-site Scripting (XSS) in contao/contao
Apr 28th 2022
Proof of Concept
Steps to reproduce: Naviagate the below URL URL: https://demo.contao.org/contao/"><svg//onload=alert(112233)> Here Some Image POC Attached
Attacker can execute Malicious JS in Application :)
Thank you for reporting this vulnerability!
We will implement a fix and contact you again after a new version was released.
Thanks @maintainer for your good response :)
The following CVE ID was assigned for this issue: CVE-2022-24899
Thanks @maintainer ❤️🩹
@aggressiveuser Thank you very much. Please contact association[at]contao.org for a bug bounty.
Hi @maintainer i send a mail to your that email association[at]contao.org
@maintainer - it looks like two CVEs were requested, both here and via GitHub Security Advisory Database. Was this on purpose and can I support in remediating this for you?
@jamieslome We already established a workflow for security related issues, that is in line with GitHub's guidelines for coordinated disclosure and has proven to work well for us. This also includes requesting CVEs - please see https://github.com/contao/contao/security/policy.
Deviating from this workflow makes things more complicated for us, therefore we kindly ask for being removed from your platform. Alternatively you can send reporters directly to our security policy. Thank you!