GHSA-w3g8-r9gw-qrh8: Denial of Service in Keycloak Server via Security Headers

GHSA-f4v7-3mww-9gc2: Keycloak allows unrestricted admin use of system and environment variables

GHSA-vh22-6c6h-rm8q: jte's HTML templates containing Javascript template strings are subject to XSS

GHSA-mgr7-5782-6jh9: The Umbraco Heartcore headless client library uses a vulnerable Refit dependency package

GHSA-45v3-38pc-874v: notation-go's timestamp signature generation lacks certificate revocation check

### Impact

It is possible to inject insert tags via the form generator if the submitted form data is output on the page in a specific way.

### Patches

Update to Contao 4.13.40 or 5.3.4.

### Workarounds

Do not output the submitted form data on the website.

### References

https://contao.org/en/security-advisories/insert-tag-injection-via-the-form-generator

### For more information

If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).

**Contao: Unencoded insert tags in the frontend**

Low severity GitHub Reviewed Published Apr 9, 2024 in contao/contao • Updated Apr 9, 2024

Headline

GHSA-747v-52c4-8vj8: Contao: Unencoded insert tags in the frontend

Impact

Patches

Workarounds

References

For more information

ghsa: Latest News