Jenlampton

**Name of the Vulnerable Software and Affected Versions** Backdrop CMS versions prior to 1.24.2 **Description** A stored Cross-site scripting (XSS) issue in Text Editors and Formats allows remote attackers to inject arbitrary web script or HTML via the `name` parameter. When a user is editing any content type as an admin, the stored XSS payload is executed upon selecting a malicious text formatting option. The vendor disputes the security relevance of this finding. **Recommendations** For Backdrop CMS versions prior to 1.24.2, update to version 1.24.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the text formatting options to minimize the risk of exploitation. Avoid using the `name` parameter in the affected text editing functionality until the issue is resolved.