GHSA-j55w-hjpj-825g: Contao: Insufficient BBCode sanitizer

Impact

If BBCode is enabled for comments, users can inject CSS styles.

Patches

Update to Contao 4.13.40 or 5.3.4.

Workarounds

Disable BBCode for comments.

References

https://contao.org/en/security-advisories/insufficient-bbcode-sanitization

For more information

If you have any questions or comments about this advisory, open an issue in contao/contao.