SB2020092432 - Improper Neutralization of Special Elements in Output Used by a Downstream Component in Contao

Description

This security bulletin contains information about 1 vulnerability.

1) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2020-25768)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper input neutralization in front end forms when processing user-supplied form input. A remote attacker can inject insert tags to disclose sensitive information.

The issue is triggered when injected insert tags are replaced during page rendering.

Remediation

Install update from vendor's website.

References

• https://github.com/contao/contao/security/advisories/GHSA-f7wm-x4gw-6m23
• https://contao.org/en/security-advisories/insert-tag-injection-in-forms