PT-2019-15997 · Backdrop · Backdrop Cms
Bot Kotatu
·
Published
2019-12-19
·
Updated
2019-12-27
·
CVE-2019-19903
CVSS v3.1
4.8
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Backdrop CMS versions 1.14.x through 1.14.1
Description
An issue was discovered where the software does not sufficiently filter output when displaying file type descriptions created by administrators. This could allow an attacker to craft a specialized description and have an administrator execute scripting when viewing the list of file types. The issue is mitigated by the requirement that an attacker must have a role with the "Administer file types" permission.
Recommendations
For Backdrop CMS versions 1.14.x through 1.14.1, update to version 1.14.2 or later to resolve the issue. As a temporary workaround, consider restricting the "Administer file types" permission to minimize the risk of exploitation.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Backdrop Cms