Описание
Contao: Unencoded insert tags in the frontend
Impact
It is possible to inject insert tags via the form generator if the submitted form data is output on the page in a specific way.
Patches
Update to Contao 4.13.40 or 5.3.4.
Workarounds
Do not output the submitted form data on the website.
References
https://contao.org/en/security-advisories/insert-tag-injection-via-the-form-generator
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
Ссылки
- https://github.com/contao/contao/security/advisories/GHSA-747v-52c4-8vj8
- https://nvd.nist.gov/vuln/detail/CVE-2024-28191
- https://github.com/contao/contao/commit/388859dcf110ca70e0fae68a2a5579ab6a702919
- https://github.com/contao/contao/commit/474a2fc25f1d84d786aba8c6d234af99e64d016b
- https://contao.org/en/security-advisories/insert-tag-injection-via-the-form-generator
Пакеты
contao/core-bundle
>= 4.0.0, < 4.13.40
4.13.40
contao/core-bundle
>= 5.0.0-RC1, < 5.3.4
5.3.4
Связанные уязвимости
Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, it is possible to inject insert tags in frontend forms if the output is structured in a very specific way. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. As a workaround, do not output user data from frontend forms next to each other, always separate them by at least one character.