Gokul Krishna P

**Name of the Vulnerable Software and Affected Versions** Backdrop CMS versions 1.12.x through 1.12.7 Backdrop CMS versions 1.13.x through 1.13.2 **Description** The issue arises from insufficient filtering of output when displaying certain block labels created by administrators. An attacker could potentially craft a specialized label and have an administrator execute scripting when administering a layout. This issue is mitigated by the requirement for the attacker to have permission to create custom blocks on the site, which is typically an administrative permission. **Recommendations** For Backdrop CMS versions 1.12.x through 1.12.7, update to version 1.12.8 or later. For Backdrop CMS versions 1.13.x through 1.13.2, update to version 1.13.3 or later.

**Name of the Vulnerable Software and Affected Versions** Backdrop CMS versions 1.12.x through 1.12.7 Backdrop CMS versions 1.13.x through 1.13.2 **Description** The issue allows some menu links within the administration bar to be crafted to execute JavaScript when the administrator is logged in and uses the search functionality. This is mitigated by the requirement for the attacker to have permissions to create administrative menu links, typically restricted to trusted or administrative users. **Recommendations** For Backdrop CMS versions 1.12.x through 1.12.7, update to version 1.12.8 or later. For Backdrop CMS versions 1.13.x through 1.13.2, update to version 1.13.3 or later.

**Name of the Vulnerable Software and Affected Versions** Backdrop CMS versions 1.12.x through 1.12.7 Backdrop CMS versions 1.13.x through 1.13.2 **Description** The issue allows the upload of entire-site configuration archives through the user interface or command line, without sufficiently checking uploaded archives for invalid data. This could potentially allow non-configuration scripts to be uploaded to the server. The attack is mitigated by the requirement for the "Synchronize, import, and export configuration" permission, which should only be given to trusted administrators. Additionally, other preventative measures in Backdrop CMS prevent the execution of PHP scripts, so another server-side scripting language must be accessible on the server to execute code. **Recommendations** For Backdrop CMS versions 1.12.x through 1.12.7, update to version 1.12.8 or later. For Backdrop CMS versions 1.13.x through 1.13.2, update to version 1.13.3 or later. As a temporary workaround, consider restricting the "Synchronize, import, and export configuration" permission to minimize the risk of exploitation.