by Leo Feyer

Insert tag injection in forms

Date: 2020-09-24
CVE ID: CVE-2020-25768

Description

It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.

Affected versions

Contao 4.0
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4 up to 4.4.51
Contao 4.5
Contao 4.6
Contao 4.7
Contao 4.8
Contao 4.9 up to 4.9.5
Contao 4.10 up to 4.10.0

Suggested solution

Update to Contao 4.4.52, 4.9.6 or 4.10.1.

Workaround

Disable the front end login form and do not use form fields with array keys such as fieldname[].