Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25768
Reference (s):
- https://contao.org/en/security-advisories/insert-tag-injection-in-forms.html
- https://community.contao.org/en/forumdisplay.php?4-Announcements