Contao orgCONTAO:INSERT-TAG-INJECTION-IN-FORMSInsert tag injection in forms
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS
Percentile
38.7%
Date: 2020-09-24 CVE ID: CVE-2020-25768
Description
It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.
Affected versions
Contao 4.0
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4 up to 4.4.51
Contao 4.5
Contao 4.6
Contao 4.7
Contao 4.8
Contao 4.9 up to 4.9.5
Contao 4.10 up to 4.10.0
Suggested solution
Update to Contao 4.4.52, 4.9.6 or 4.10.1.
Workaround
Disable the front end login form and do not use form fields with array keys such as fieldname[].
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS
Percentile
38.7%