Security advisories

Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.

2020

by Leo Feyer

Insert tag injection in forms

Date: 2020-09-24
CVE ID: CVE-2020-25768

It is possible to inject insert tags in front end forms which will be replaced when the page is rendered. The problem affects all Contao versions as of Contao 4.0 and has been fixed in Contao 4.4.52, 4.9.6 and 4.10.1.

Security advisory

Archive