CVE-2019-19903

Name of the Vulnerable Software and Affected Versions Backdrop CMS versions 1.14.x through 1.14.1

Description An issue was discovered where the software does not sufficiently filter output when displaying file type descriptions created by administrators. This could allow an attacker to craft a specialized description and have an administrator execute scripting when viewing the list of file types. The issue is mitigated by the requirement that an attacker must have a role with the "Administer file types" permission.

Recommendations For Backdrop CMS versions 1.14.x through 1.14.1, update to version 1.14.2 or later to resolve the issue. As a temporary workaround, consider restricting the "Administer file types" permission to minimize the risk of exploitation.