CVE-2019-19900

Name of the Vulnerable Software and Affected Versions Backdrop CMS versions 1.13.x through 1.13.4 Backdrop CMS versions 1.14.x through 1.14.1

Description An issue was discovered that allows for potential XSS attacks when displaying content type names in the content creation interface. The software does not sufficiently filter output, which could be exploited by an attacker crafting a specialized content type name to execute scripting when an editor creates content. This issue is mitigated by the requirement that an attacker must have a role with the "Administer content types" permission.

Recommendations For Backdrop CMS versions 1.13.x through 1.13.4, update to version 1.13.5 or later. For Backdrop CMS versions 1.14.x through 1.14.1, update to version 1.14.2 or later.