CVE-2020-25768

Published: Oct 7, 2020Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.

Affected (3)

Products: Contao: Contao

Contao

1 product

Contao

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Contao Contao	From 4.0 to 4.4.52
Contao Contao	From 4.10.0 to 4.10.1
Contao Contao	From 4.9.0 to 4.9.6

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References (4)

https://community.contao.org/en/forumdisplay.php?4-Announcements

Source: cve@mitre.org

Release NotesVendor Advisory

https://contao.org/en/security-advisories/insert-tag-injection-in-forms.html

Source: cve@mitre.org

Vendor Advisory

https://community.contao.org/en/forumdisplay.php?4-Announcements

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://contao.org/en/security-advisories/insert-tag-injection-in-forms.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.