Nate Lampton

**Name of the Vulnerable Software and Affected Versions** Backdrop CMS versions 1.13.x through 1.13.4 Backdrop CMS versions 1.14.x through 1.14.1 **Description** The issue arises from insufficient filtering of output when displaying certain block descriptions created by administrators. This could allow an attacker to craft a specialized description and execute scripting when an administrator configures a layout, potentially leading to a cross-site scripting (XSS) attack. The attack is mitigated by the requirement for the attacker to have permission to create custom blocks, typically an administrative task. **Recommendations** For Backdrop CMS versions 1.13.x through 1.13.4, update to version 1.13.5 or later. For Backdrop CMS versions 1.14.x through 1.14.1, update to version 1.14.2 or later.