backdrop/backdrop is vulnerable to Stored Cross-Site Scripting (XSS) attacks. A remote admin authenticated attacker is able to inject arbitrary web scripts or HTML through the name
argument in Text Editors
and Formats
, modifying any sort of material, which allows the stored XSS payload to be executed when the malicious text formatting option is selected.