CVE-2024-45612: 
PHP vulnerability analysis and mitigation

Contao, an Open Source CMS, was found to contain a vulnerability identified as CVE-2024-45612. The vulnerability allows untrusted users to inject insert tags into the canonical tag, which are then replaced when the web page is rendered in the front end. This issue affects Contao versions 4.13.0 through 4.13.48, 5.0, 5.1, 5.2, 5.3.0 through 5.3.14, and 5.4.0 through 5.4.2 (Contao Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges or user interaction, and has a limited impact on confidentiality with no impact on integrity or availability. The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) (NVD, GitHub Advisory).

The vulnerability allows attackers to inject insert tags into canonical URLs which are then processed and replaced when the page is rendered. This could potentially lead to information disclosure through the manipulation of canonical tags (Contao Advisory).

Users are advised to upgrade to Contao versions 4.13.49, 5.3.15, or 5.4.3 which contain patches for this vulnerability. For users unable to upgrade immediately, a workaround is available by disabling canonical tags in the root page settings (Contao Advisory).