PT-2019-13821 · Backdrop · Backdrop Cms
Ashwin Shenoi
+2
·
Published
2019-08-08
·
Updated
2019-08-15
·
CVE-2019-14769
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Backdrop CMS versions 1.12.x through 1.12.7
Backdrop CMS versions 1.13.x through 1.13.2
Description
The issue arises from insufficient filtering of output when displaying certain block labels created by administrators. An attacker could potentially craft a specialized label and have an administrator execute scripting when administering a layout. This issue is mitigated by the requirement for the attacker to have permission to create custom blocks on the site, which is typically an administrative permission.
Recommendations
For Backdrop CMS versions 1.12.x through 1.12.7, update to version 1.12.8 or later.
For Backdrop CMS versions 1.13.x through 1.13.2, update to version 1.13.3 or later.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Backdrop Cms