Cross-site Scripting in Backdrop CMS

2023-04-2409:30:19

Google

osv.dev

stored xss

backdrop cms

remote attackers

web script

html

text editors

formats

admin

content type

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

30.5%

JSON

A stored Cross-site scripting (XSS) issue in Text Editors and Formats in Backdrop CMS before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via the name parameter. When a user is editing any content type (e.g., page, post, or card) as an admin, the stored XSS payload is executed upon selecting a malicious text formatting option.

NOTE: the vendor disputes the security relevance of this finding because “any administrator that can configure a text format could easily allow Full HTML anywhere.”