Headline
GHSA-j55w-hjpj-825g: Contao: Insufficient BBCode sanitizer
Impact
If BBCode is enabled for comments, users can inject CSS styles.
Patches
Update to Contao 4.13.40 or 5.3.4.
Workarounds
Disable BBCode for comments.
References
https://contao.org/en/security-advisories/insufficient-bbcode-sanitization
For more information
If you have any questions or comments about this advisory, open an issue in contao/contao.
Contao: Insufficient BBCode sanitizer
Moderate severity GitHub Reviewed Published Apr 9, 2024 in contao/contao • Updated Apr 9, 2024