Lucene search

GoogleOSV:GHSA-F7WM-X4GW-6M23

HistorySep 24, 2020 - 4:23 p.m.

Contao Insert tag injection in forms

2020-09-2416:23:54

Google

osv.dev

insert tags

forms

frontend

contao 4.4.52

contao 4.9.6

contao 4.10.1

array keys

security advisory

github

EPSS

0.001

Percentile

38.7%

It is possible to inject insert tags in frontend forms which will be replaced when the page is rendered.

Update to Contao 4.4.52, 4.9.6 or 4.10.1.

Disable the front end login form and do not use form fields with array keys such as fieldname[].

If you have any questions or comments about this advisory, open an issue in contao/contao.

References

community.contao.org/en/forumdisplay.php?4-Announcements

contao.org/en/security-advisories/insert-tag-injection-in-forms.html

github.com/contao/contao

github.com/contao/contao/security/advisories/GHSA-f7wm-x4gw-6m23

github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2020-25768.yaml

github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2020-25768.yaml

nvd.nist.gov/vuln/detail/CVE-2020-25768

EPSS

0.001

Percentile

38.7%

Related for OSV:GHSA-F7WM-X4GW-6M23