Insert tag injection in the Contao login module · CVE-2019-19714 · GitHub Advisory Database · GitHub

Insert tag injection in the Contao login module

Moderate severity GitHub Reviewed Published Dec 17, 2019 in contao/contao • Updated Apr 22, 2024

Package

contao/contao (Composer)

Affected versions

>= 4.8.4, < 4.8.6

Patched versions

4.8.6

contao/core-bundle (Composer)

>= 4.8.4, < 4.8.6

4.8.6

Description

Impact

It is possible to inject insert tags into the login module which will be replaced when the page is rendered.

Patches

Update to Contao 4.8.6.

Workarounds

None.

References

https://contao.org/en/security-advisories/insert-tag-injection-in-the-login-module

For more information

If you have any questions or comments about this advisory, open an issue in contao/contao.

References

leofeyer published to contao/contao

Dec 17, 2019

Reviewed Dec 17, 2019

Published to the GitHub Advisory Database Dec 17, 2019

Last updated Apr 22, 2024

Severity

Moderate

5.3

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N