It is possible to inject insert tags in frontend forms which will be replaced when the page is rendered.
Update to Contao 4.4.52, 4.9.6 or 4.10.1.
Disable the front end login form and do not use form fields with array keys such as fieldname[]
.
https://contao.org/en/security-advisories/insert-tag-injection-in-forms
If you have any questions or comments about this advisory, open an issue in contao/contao.
community.contao.org/en/forumdisplay.php?4-Announcements
contao.org/en/security-advisories/insert-tag-injection-in-forms.html
github.com/contao/contao
github.com/contao/contao/security/advisories/GHSA-f7wm-x4gw-6m23
github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2020-25768.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2020-25768.yaml
nvd.nist.gov/vuln/detail/CVE-2020-25768