First published: Thu Sep 24 2020(Updated: )
### Impact It is possible to inject insert tags in front end forms which will be replaced when the page is rendered. ### Patches Update to Contao 4.4.52, 4.9.6 or 4.10.1. ### Workarounds Disable the front end login form and do not use form fields with array keys such as `fieldname[]`. ### References https://contao.org/en/security-advisories/insert-tag-injection-in-forms ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
composer/contao/core-bundle | >=4.0.0<4.4.52>=4.5.0<4.6.0>=4.6.0<4.7.0>=4.7.0<4.8.0>=4.8.0<4.9.0>=4.9.0<4.9.6>=4.10.0<4.10.1 | |
composer/contao/contao | >=4.0.0<4.4.52>=4.5.0<4.6.0>=4.6.0<4.7.0>=4.7.0<4.8.0>=4.8.0<4.9.0>=4.9.0<4.9.6>=4.10.0<4.10.1 | |
Contao Contao | >=4.0<4.4.52 | |
Contao Contao | >=4.9.0<4.9.6 | |
Contao Contao | >=4.10.0<4.10.1 | |
composer/contao/core-bundle | >=4.10.0<4.10.1 | 4.10.1 |
composer/contao/contao | >=4.10.0<4.10.1 | 4.10.1 |
composer/contao/contao | >=4.5.0<4.9.6 | 4.9.6 |
composer/contao/contao | >=4.0.0<4.4.52 | 4.4.52 |
composer/contao/core-bundle | >=4.5.0<4.9.6 | 4.9.6 |
composer/contao/core-bundle | >=4.0.0<4.4.52 | 4.4.52 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-25768 is a vulnerability that allows for insert tag injection in front end forms in Contao.
The impact of CVE-2020-25768 is the ability to inject insert tags in frontend forms, which will be replaced when the page is rendered.
CVE-2020-25768 has a severity rating of medium (5.3).
To fix CVE-2020-25768, update to Contao 4.4.52, 4.9.6, or 4.10.1.
Yes, you can disable the front end login form and avoid using form fields with array keys such as 'fieldname[]'.