Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWY3d20teDRndy02bTIz
Contao Insert tag injection in forms
Impact
It is possible to inject insert tags in frontend forms which will be replaced when the page is rendered.
Patches
Update to Contao 4.4.52, 4.9.6 or 4.10.1.
Workarounds
Disable the front end login form and do not use form fields with array keys such as fieldname[].
References
https://contao.org/en/security-advisories/insert-tag-injection-in-forms
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
Permalink: https://github.com/advisories/GHSA-f7wm-x4gw-6m23JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWY3d20teDRndy02bTIz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: 2 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-f7wm-x4gw-6m23, CVE-2020-25768
References:
- https://github.com/contao/contao/security/advisories/GHSA-f7wm-x4gw-6m23
- https://contao.org/en/security-advisories/insert-tag-injection-in-forms.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-25768
- https://community.contao.org/en/forumdisplay.php?4-Announcements
- https://github.com/advisories/GHSA-f7wm-x4gw-6m23
Affected Packages
packagist:contao/core-bundle
Versions: = 4.10.0, >= 4.5.0, < 4.9.6, >= 4.0.0, < 4.4.52Fixed in: 4.10.1, 4.9.6, 4.4.52