GoogleOSV:GHSA-F7WM-X4GW-6M23Contao Insert tag injection in forms
0.001 Low
EPSS
Percentile
38.7%
Impact
It is possible to inject insert tags in frontend forms which will be replaced when the page is rendered.
Patches
Update to Contao 4.4.52, 4.9.6 or 4.10.1.
Workarounds
Disable the front end login form and do not use form fields with array keys such as fieldname[].
References
https://contao.org/en/security-advisories/insert-tag-injection-in-forms
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
References
community.contao.org/en/forumdisplay.php?4-Announcements
contao.org/en/security-advisories/insert-tag-injection-in-forms.html
github.com/contao/contao
github.com/contao/contao/security/advisories/GHSA-f7wm-x4gw-6m23
github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2020-25768.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2020-25768.yaml
nvd.nist.gov/vuln/detail/CVE-2020-25768
Related
