PT-2020-16192 · Contao · Contao

Leo Feyer

Published

2020-09-24

Updated

2021-07-21

CVE-2020-25768

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Contao versions 4.4.0 through 4.4.51 Contao versions 4.9.0 through 4.9.5 Contao versions 4.10.0 through 4.10.0

Description The issue is related to Improper Input Validation, allowing the injection of insert tags in front end forms. These tags will be replaced when the page is rendered.

Recommendations Update to Contao version 4.4.52. Update to Contao version 4.9.6. Update to Contao version 4.10.1. As a temporary workaround, consider disabling the front end login form. Avoid using form fields with array keys such as fieldname[] until the issue is resolved.

Exploit

Fix

Special Elements Injection

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-20

Related Identifiers

CVE-2020-25768

GHSA-F7WM-X4GW-6M23

Affected Products

Contao

PT-2020-16192 · Contao · Contao

CVE-2020-25768

Weakness Enumeration

Related Identifiers

Affected Products

References · 10