Lucene search

MitreCVE-2023-31045

HistoryApr 24, 2023 - 8:15 a.m.

CVE-2023-31045

2023-04-2408:15:07

CWE-79

mitre

web.nvd.nist.gov

cve-2023-31045

cross-site scripting

xss

backdrop cms

security issue

remote attackers

text editors

formats

nvd

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

AI Score

4.9

Confidence

High

EPSS

0.001

Percentile

30.5%

JSON

A stored Cross-site scripting (XSS) issue in Text Editors and Formats in Backdrop CMS before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via the name parameter. When a user is editing any content type (e.g., page, post, or card) as an admin, the stored XSS payload is executed upon selecting a malicious text formatting option. NOTE: the vendor disputes the security relevance of this finding because “any administrator that can configure a text format could easily allow Full HTML anywhere.”

Affected configurations

Nvd

Node

backdropcmsbackdropRange<1.24.2

VendorProductVersionCPE
backdropcmsbackdrop*cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
backdropcms	backdrop	*	cpe:2.3:a:backdropcms:backdrop::::::::

References

github.com/backdrop/backdrop-issues/issues/6065

github.com/backdrop/backdrop/releases/tag/1.24.2