Lucene search

GitHub Advisory DatabaseGHSA-G8JW-8VPV-PV5Q

HistoryNov 21, 2022 - 9:30 p.m.

Cross-site Scripting in Backdrop CMS

2022-11-2121:30:14

CWE-79

GitHub Advisory Database

github.com

backdrop cms

version 1.23.0

stored cross-site scripting

post content

admin privileges

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

EPSS

0.006

Percentile

78.7%

JSON

Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via Post content. The account must have admin privileges.

Affected configurations

Vulners

Node

backdropbackdropRange≤1.23.0

VendorProductVersionCPE
backdropbackdrop*cpe:2.3:a:backdrop:backdrop:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
backdrop	backdrop	*	cpe:2.3:a:backdrop:backdrop::::::::

References

github.com/advisories/GHSA-g8jw-8vpv-pv5q

github.com/backdrop/backdrop/releases/tag/1.23.0

github.com/bypazs/CVE-2022-42096

grimthereaperteam.medium.com/cve-2022-42096-backdrop-xss-at-posts-437c305036e2

nvd.nist.gov/vuln/detail/CVE-2022-42096