CVE-2019-19714 — Improper Encoding or Escaping of Output in Contao

CWE-116 — Improper Encoding or Escaping of Output4 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 56.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Contao Contao Core-bundle

Timeline

PublishedDec 17

Description

Contao 4.8.4 and 4.8.5 has Improper Encoding or Escaping of Output. It is possible to inject insert tags into the login module which will be replaced when the page is rendered.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶Packagistcontao/contao4.8.4 — 4.8.6

▶Packagistcontao/core-bundle4.8.4 — 4.8.6

▶NVDcontao/contao4.8.4, 4.8.5+1

🔴Vulnerability Details

GHSA

Insert tag injection in the Contao login module↗2019-12-17

▶

OSV

Insert tag injection in the Contao login module↗2019-12-17

▶

CVEList

CVE-2019-19714: Contao 4↗2019-12-17

▶