GHSA-f7wm-x4gw-6m23
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f7wm-x4gw-6m23
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-f7wm-x4gw-6m23/GHSA-f7wm-x4gw-6m23.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f7wm-x4gw-6m23
- Aliases
- Published
- 2020-09-24T16:23:54Z
- Modified
- 2024-04-22T19:02:09.763522Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- Contao Insert tag injection in forms
- Details
-
Impact
It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.
Patches
Update to Contao 4.4.52, 4.9.6 or 4.10.1.
Workarounds
Disable the front end login form and do not use form fields with array keys such as
fieldname[].References
https://contao.org/en/security-advisories/insert-tag-injection-in-forms
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
- Database specific
{ "nvd_published_at": "2020-10-07T21:15:00Z", "severity": "MODERATE", "github_reviewed_at": "2020-09-24T16:23:42Z", "github_reviewed": true, "cwe_ids": [ "CWE-20", "CWE-74" ] }- References
-
- https://github.com/contao/contao/security/advisories/GHSA-f7wm-x4gw-6m23
- https://nvd.nist.gov/vuln/detail/CVE-2020-25768
- https://community.contao.org/en/forumdisplay.php?4-Announcements
- https://contao.org/en/security-advisories/insert-tag-injection-in-forms.html
- https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2020-25768.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2020-25768.yaml
- https://github.com/contao/contao
Affected packages
Packagist / contao/core-bundle
Package
- Name
- contao/core-bundle
- Purl
- pkg:composer/contao/core-bundle
Affected versions
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.1.0-beta1
4.1.0-RC1
4.1.0
4.1.1
4.1.2
4.1.3
4.2.0-beta1
4.2.0-RC1
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.3.0-RC1
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
4.3.6
4.3.7
4.3.8
4.3.9
4.3.10
4.3.11
4.4.0-beta1
4.4.0-RC1
4.4.0-RC2
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.7
4.4.8
4.4.9
4.4.10
4.4.11
4.4.12
4.4.13
4.4.14
4.4.15
4.4.16
4.4.17
4.4.18
4.4.19
4.4.20
4.4.21
4.4.22
4.4.23
4.4.24
4.4.25
4.4.26
4.4.27
4.4.28
4.4.29
4.4.30
4.4.31
4.4.32
4.4.33
4.4.34
4.4.35
4.4.36
4.4.37
4.4.38
4.4.39
4.4.40
4.4.41
4.4.42
4.4.43
4.4.44
4.4.45
4.4.46
4.4.47
4.4.48
4.4.49
4.4.50
4.4.51
Packagist / contao/core-bundle
Package
- Name
- contao/core-bundle
- Purl
- pkg:composer/contao/core-bundle
Affected versions
4.*
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
4.5.6
4.5.7
4.5.8
4.5.9
4.5.10
4.5.11
4.5.12
4.5.13
4.5.14
4.6.0-RC1
4.6.0-RC2
4.6.0-RC3
4.6.0
4.6.1
4.6.2
4.6.3
4.6.4
4.6.5
4.6.6
4.6.7
4.6.8
4.6.9
4.6.10
4.6.11
4.6.12
4.6.13
4.6.14
4.7.0-RC1
4.7.0-RC2
4.7.0-RC3
4.7.0-RC4
4.7.0
4.7.1
4.7.2
4.7.3
4.7.4
4.7.5
4.7.6
4.7.7
4.8.0-RC1
4.8.0-RC2
4.8.0
4.8.1
4.8.2
4.8.3
4.8.4
4.8.5
4.8.6
4.8.7
4.8.8
4.9.0-RC1
4.9.0-RC2
4.9.0
4.9.1
4.9.2
4.9.3
4.9.4
4.9.5
Packagist / contao/contao
Package
- Name
- contao/contao
- Purl
- pkg:composer/contao/contao
Packagist / contao/contao
Package
- Name
- contao/contao
- Purl
- pkg:composer/contao/contao
Affected versions
4.*
4.5.13
4.5.14
4.6.0
4.6.1
4.6.2
4.6.3
4.6.4
4.6.5
4.6.6
4.6.7
4.6.8
4.6.9
4.6.10
4.6.11
4.6.12
4.6.13
4.6.14
4.7.0-RC1
4.7.0-RC2
4.7.0-RC3
4.7.0-RC4
4.7.0
4.7.1
4.7.2
4.7.3
4.7.4
4.7.5
4.7.6
4.7.7
4.8.0-RC1
4.8.0-RC2
4.8.0
4.8.1
4.8.2
4.8.3
4.8.4
4.8.5
4.8.6
4.8.7
4.8.8
4.9.0-RC1
4.9.0-RC2
4.9.0
4.9.1
4.9.2
4.9.3
4.9.4
4.9.5
Packagist / contao/contao
Package
- Name
- contao/contao
- Purl
- pkg:composer/contao/contao
Packagist / contao/core-bundle
Package
- Name
- contao/core-bundle
- Purl
- pkg:composer/contao/core-bundle