CVE-2020-25768 — Improper Input Validation in Contao

CWE-20 — Improper Input Validation CWE-74 — Injection4 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.3%

top 45.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Contao Contao Core-bundle

Timeline

PublishedOct 7

Description

Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶NVDcontao/contao4.0 — 4.4.52+2

▶Packagistcontao/contao4.0.0 — 4.4.52+2

▶Packagistcontao/core-bundle4.0.0 — 4.4.52+2

🔴Vulnerability Details

CVEList

CVE-2020-25768: Contao before 4↗2020-10-07

▶

OSV

Contao Insert tag injection in forms↗2020-09-24

▶

GHSA

Contao Insert tag injection in forms↗2020-09-24

▶