CVE-2019-19714
Description
Contao 4.8.4 and 4.8.5 has Improper Encoding or Escaping of Output. It is possible to inject insert tags into the login module which will be replaced when the page is rendered.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Contao CMS 4.8.4 and 4.8.5 allow authenticated user input in the login module to inject insert tags, leading to arbitrary tag execution on page rendering.
Vulnerability
Description
Contao CMS versions 4.8.4 and 4.8.5 suffer from Improper Encoding or Escaping of Output in the login module. The software fails to properly sanitize user-provided input before inserting it into page output, enabling an attacker to inject arbitrary "insert tags" — special placeholders that the CMS evaluates and replaces during rendering [1][2].
Exploitation
Method
An attacker who can submit text to the login module (e.g., via custom fields or crafted parameters) can embed malicious insert tags. No special privileges are required; the attack only needs a way to supply input that the login module processes and later displays. When the page is rendered, the CMS expands these tags without additional validation, executing the attacker's content [3][4].
Impact
Depending on the available insert tags, an attacker could achieve cross-site scripting (XSS), information disclosure, or even remote code execution if certain tags invoke internal functions. The vulnerability essentially turns the login module into an uncontrolled template injection point, with severity rated at CVSS 6.1 (medium) [2].
Mitigation
Users should upgrade to a patched version of Contao CMS (4.8.6 or newer), if available. As of the advisory date, the maintainers have been notified, and the fix involves proper output encoding to prevent insert tag interpretation [3][4]. Systems running the affected builds should apply updates immediately.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
contao/core-bundlePackagist | >= 4.8.4, < 4.8.6 | 4.8.6 |
contao/contaoPackagist | >= 4.8.4, < 4.8.6 | 4.8.6 |
Affected products
3- Contao/Contaodescription
- ghsa-coords2 versions
>= 4.8.4, < 4.8.6+ 1 more
- (no CPE)range: >= 4.8.4, < 4.8.6
- (no CPE)range: >= 4.8.4, < 4.8.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-jc43-qrrp-98f5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-19714ghsaADVISORY
- contao.org/en/news.htmlmitrex_refsource_MISC
- contao.org/en/security-advisories/insert-tag-injection-in-the-login-module.htmlghsax_refsource_CONFIRMWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2019-19714.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2019-19714.yamlghsaWEB
- github.com/contao/contao/security/advisories/GHSA-jc43-qrrp-98f5ghsaWEB
News mentions
0No linked articles in our index yet.