CVE-2019-19901

Name of the Vulnerable Software and Affected Versions Backdrop CMS versions 1.13.x through 1.13.4 Backdrop CMS versions 1.14.x through 1.14.1

Description The issue arises from insufficient filtering of output when displaying certain block descriptions created by administrators. This could allow an attacker to craft a specialized description and execute scripting when an administrator configures a layout, potentially leading to a cross-site scripting (XSS) attack. The attack is mitigated by the requirement for the attacker to have permission to create custom blocks, typically an administrative task.

Recommendations For Backdrop CMS versions 1.13.x through 1.13.4, update to version 1.13.5 or later. For Backdrop CMS versions 1.14.x through 1.14.1, update to version 1.14.2 or later.