CVE-2020-25768
MEDIUMContao < 4.4.52, 4.9.x < 4.9.6, 4.10.x < 4.10.1 - Insert Tag Injection in Front End Forms
Title source: llmDescription
Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://community.contao.org/en/forumdisplay.php?4-Announcements
Vendor Advisory x_refsource_confirm
https://contao.org/en/security-advisories/insert-tag-injection-in-forms.html
Scores
CVSS v3
5.3
EPSS
0.0081
EPSS Percentile
52.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-20
CWE-74
Status
published
Products (3)
contao/contao
4.0 - 4.4.52
contao/contao
4.0.0 - 4.4.52Packagist
contao/core-bundle
4.0.0 - 4.4.52Packagist
Published
Oct 07, 2020
Tracked Since
Feb 18, 2026