Cross-site Scripting (XSS) in contao/contao

Valid

Reported on

Apr 28th 2022

Proof of Concept

Steps to reproduce:
Naviagate the below URL
URL: https://demo.contao.org/contao/"><svg//onload=alert(112233)>
Here Some Image POC Attached

Trigger

Impact

Attacker can execute Malicious JS in Application :)

We are processing your report and will contact the contao team within 24 hours. a year ago

We have contacted a member of the contao team and are waiting to hear back a year ago

A contao/contao maintainer

commented a year ago

Maintainer

Thank you for reporting this vulnerability!

We will implement a fix and contact you again after a new version was released.

AggressiveUser

commented a year ago

Researcher

Thanks @maintainer for your good response :)

A contao/contao maintainer

commented a year ago

Maintainer

The following CVE ID was assigned for this issue: CVE-2022-24899

AggressiveUser

commented a year ago

Researcher

Thanks @maintainer ❤️‍🩹

We have sent a follow up to the contao team. We will try again in 7 days. a year ago

A contao/contao maintainer assigned a CVE to this report a year ago

A contao/contao maintainer validated this vulnerability a year ago

AggressiveUser has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A contao/contao maintainer marked this as fixed in 4.13.3 with commit 199206 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

A contao/contao maintainer

commented a year ago

Maintainer

https://github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2

A contao/contao maintainer

commented a year ago

Maintainer

@aggressiveuser Thank you very much. Please contact association[at]contao.org for a bug bounty.

AggressiveUser

commented a year ago

Researcher

Hi @maintainer i send a mail to your that email association[at]contao.org

Jamie Slome

commented a year ago

Admin

@maintainer - it looks like two CVEs were requested, both here and via GitHub Security Advisory Database. Was this on purpose and can I support in remediating this for you?

A contao/contao maintainer

commented a year ago

Maintainer

@jamieslome We already established a workflow for security related issues, that is in line with GitHub's guidelines for coordinated disclosure and has proven to work well for us. This also includes requesting CVEs - please see https://github.com/contao/contao/security/policy.

Deviating from this workflow makes things more complicated for us, therefore we kindly ask for being removed from your platform. Alternatively you can send reporters directly to our security policy. Thank you!

to join this conversation

We are processing your report and will contact the contao team within 24 hours. a year ago

We have contacted a member of the contao team and are waiting to hear back a year ago

A contao/contao maintainer

commented a year ago

Maintainer

Thank you for reporting this vulnerability!

We will implement a fix and contact you again after a new version was released.

AggressiveUser

commented a year ago

Researcher

Thanks @maintainer for your good response :)

A contao/contao maintainer

commented a year ago

Maintainer

The following CVE ID was assigned for this issue: CVE-2022-24899

AggressiveUser

commented a year ago

Researcher

Thanks @maintainer ❤️‍🩹

We have sent a follow up to the contao team. We will try again in 7 days. a year ago

A contao/contao maintainer assigned a CVE to this report a year ago

A contao/contao maintainer validated this vulnerability a year ago

AggressiveUser has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A contao/contao maintainer marked this as fixed in 4.13.3 with commit 199206 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

A contao/contao maintainer

commented a year ago

Maintainer

https://github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2

A contao/contao maintainer

commented a year ago

Maintainer

@aggressiveuser Thank you very much. Please contact association[at]contao.org for a bug bounty.

AggressiveUser

commented a year ago

Researcher

Hi @maintainer i send a mail to your that email association[at]contao.org

Jamie Slome

commented a year ago

Admin

@maintainer - it looks like two CVEs were requested, both here and via GitHub Security Advisory Database. Was this on purpose and can I support in remediating this for you?

A contao/contao maintainer

commented a year ago

Maintainer

to join this conversation