Description
Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, it is possible to inject insert tags in frontend forms if the output is structured in a very specific way. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, do not output user data from frontend forms next to each other, always separate them by at least one character.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/contao/contao/security/advisories/GHSA-747v-52c4-8vj8
Patch x_refsource_misc
https://github.com/contao/contao/commit/388859dcf110ca70e0fae68a2a5579ab6a702919
Patch x_refsource_misc
https://github.com/contao/contao/commit/474a2fc25f1d84d786aba8c6d234af99e64d016b
Vendor Advisory x_refsource_misc
https://contao.org/en/security-advisories/insert-tag-injection-via-the-form-generator
Scores
CVSS v3
3.1
EPSS
0.0096
EPSS Percentile
76.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-74
Status
published
Products (2)
contao/contao
4.0.0 - 4.13.40
contao/core-bundle
4.0.0 - 4.13.40Packagist
Published
Apr 09, 2024
Tracked Since
Feb 18, 2026