Описание
Insert tag injection in the Contao login module
Impact
It is possible to inject insert tags into the login module which will be replaced when the page is rendered.
Patches
Update to Contao 4.8.6.
Workarounds
None.
References
https://contao.org/en/security-advisories/insert-tag-injection-in-the-login-module
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
Ссылки
- https://github.com/contao/contao/security/advisories/GHSA-jc43-qrrp-98f5
- https://nvd.nist.gov/vuln/detail/CVE-2019-19714
- https://contao.org/en/security-advisories/insert-tag-injection-in-the-login-module.html
- https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2019-19714.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2019-19714.yaml
Пакеты
Наименование
contao/core-bundle
composer
Затронутые версииВерсия исправления
>= 4.8.4, < 4.8.6
4.8.6
Наименование
contao/contao
composer
Затронутые версииВерсия исправления
>= 4.8.4, < 4.8.6
4.8.6
Связанные уязвимости
CVSS3: 5.3
nvd
около 6 лет назад
Contao 4.8.4 and 4.8.5 has Improper Encoding or Escaping of Output. It is possible to inject insert tags into the login module which will be replaced when the page is rendered.