GHSA-3m86-c9x3-vwm9: Graylog vulnerable to privilege escalation through API tokens

GHSA-3q26-f695-pp76: @cyanheads/git-mcp-server vulnerable to command injection in several tools

GHSA-6r2x-8pq8-9489: Electron vulnerable to Heap Buffer Overflow in NativeImage

GHSA-v8fr-vxmw-6mf6: Mattermost Incorrect Authorization vulnerability

GHSA-wgvp-jj4w-88hf: Mattermost Incorrect Authorization vulnerability

### Impact

It is possible to inject insert tags via the form generator if the submitted form data is output on the page in a specific way.

### Patches

Update to Contao 4.13.40 or 5.3.4.

### Workarounds

Do not output the submitted form data on the website.

### References

https://contao.org/en/security-advisories/insert-tag-injection-via-the-form-generator

### For more information

If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).

**Contao: Unencoded insert tags in the frontend**

Low severity GitHub Reviewed Published Apr 9, 2024 in contao/contao • Updated Apr 9, 2024

Headline

GHSA-747v-52c4-8vj8: Contao: Unencoded insert tags in the frontend

Impact

Patches

Workarounds

References

For more information

ghsa: Latest News