First published: Tue Dec 17 2019(Updated: )
### Impact It is possible to inject insert tags into the login module which will be replaced when the page is rendered. ### Patches Update to Contao 4.8.6. ### Workarounds None. ### References https://contao.org/en/security-advisories/insert-tag-injection-in-the-login-module ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
composer/contao/core-bundle | >=4.8.4<4.8.6 | |
composer/contao/contao | >=4.8.4<4.8.6 | |
composer/contao/core-bundle | >=4.8.4<4.8.6 | 4.8.6 |
Contao Contao | =4.8.4 | |
Contao Contao | =4.8.5 | |
composer/contao/contao | >=4.8.4<4.8.6 | 4.8.6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
It is possible to inject insert tags into the login module which will be replaced when the page is rendered.
Update to Contao 4.8.6.
No, there are no workarounds.
You can find more information about CVE-2019-19714 at the following references: [Link](https://contao.org/en/security-advisories/insert-tag-injection-in-the-login-module.html), [Link](https://github.com/contao/contao/security/advisories/GHSA-jc43-qrrp-98f5), [Link](https://nvd.nist.gov/vuln/detail/CVE-2019-19714)
CVE-2019-19714 has a severity rating of medium.