5.3

CVSS Score

Basic Information

CVE ID

CVE-2020-25768

GHSA ID

GHSA-f7wm-x4gw-6m23

EPSS Score

CWE

CWE-20

Published

9/24/2020

Updated

4/22/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-25768

CVE-2020-25768:
Contao Insert tag injection in forms

Impact

It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.

Patches

Update to Contao 4.4.52, 4.9.6 or 4.10.1.

Workarounds

Disable the front end login form and do not use form fields with array keys such as fieldname[].

References

https://contao.org/en/security-advisories/insert-tag-injection-in-forms

For more information

If you have any questions or comments about this advisory, open an issue in contao/contao.

(GitHub Advisory)

5.3

CVSS Score

Basic Information

CVE ID

CVE-2020-25768

GHSA ID

GHSA-f7wm-x4gw-6m23

EPSS Score

CWE

CWE-20

Published

9/24/2020

Updated

4/22/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
contao/core-bundle	composer	>= 4.0.0, < 4.4.52	4.4.52
contao/core-bundle	composer	>= 4.5.0, < 4.9.6	4.9.6
contao/contao	composer	>= 4.0.0, < 4.4.52	4.4.52
contao/contao	composer	>= 4.5.0, < 4.9.6	4.9.6
contao/contao	composer	>= 4.10.0, < 4.10.1	4.10.1
contao/core-bundle	composer	>= 4.10.0, < 4.10.1	4.10.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper input validation (CWE-20) when processing form submissions. Contao's InsertTagParser is designed to replace specially formatted tags, but when applied to unvalidated user input from forms (particularly fields using array keys), it allows injection. The Form class's compilation process likely feeds user input into this parser. The workaround guidance to avoid array keys and frontend login forms aligns with these components being the injection vector. While exact code isn't available, Contao's architecture and vulnerability patterns strongly implicate these core form processing and insert tag handling mechanisms.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t It is possi*l* to inj**t ins*rt t**s in *ront *n* *orms w*i** will ** r*pl**** w**n t** p*** is r*n**r**. ### P*t***s Up**t* to *ont*o *.*.**, *.*.* or *.**.*. ### Work*roun*s *is**l* t** *ront *n* lo*in *orm *n* *o not us* *orm *i*l*

Reasoning

T** vuln*r**ility st*ms *rom improp*r input v*li**tion (*W*-**) w**n pro**ssin* *orm su*missions. *ont*o's Ins*rtT**P*rs*r is **si*n** to r*pl*** sp**i*lly *orm*tt** t**s, *ut w**n *ppli** to unv*li**t** us*r input *rom *orms (p*rti*ul*rly *i*l*s usi

5.3

Basic Information

Concerned about an active attack path?

CVE-2020-25768: Contao Insert tag injection in forms

Impact

Patches

Workarounds

References

For more information

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-25768:
Contao Insert tag injection in forms

Vulnerability Intelligence
Miggo AI