Lowleofeyer

**Name of the Vulnerable Software and Affected Versions** Contao versions 4.0.0 through 4.13.39 Contao versions 5.0.0 through 5.3.3 **Description** The issue allows inject tags in frontend forms if the output is structured in a very specific way. It is possible to inject insert tags via the form generator if the submitted form data is output on the page in a specific way. **Recommendations** For Contao versions 4.0.0 through 4.13.39, update to Contao 4.13.40. For Contao versions 5.0.0 through 5.3.3, update to Contao 5.3.4. As a temporary workaround, do not output user data from frontend forms next to each other, always separate them by at least one character. Do not output the submitted form data on the website.