CVE-2021-32660

Name of the Vulnerable Software and Affected Versions @backstage/techdocs-common versions prior to 0.6.4

Description A malicious internal actor can upload documentation content with malicious scripts, which would normally be sanitized by the TechDocs frontend. However, by tricking a user into visiting the content via the TechDocs API, the content sanitization will be bypassed. If the TechDocs API is hosted on the same origin as the Backstage app or other backend plugins, this may give access to sensitive data. The ability to upload malicious content may be limited by internal code review processes, unless the chosen TechDocs deployment method is to use an object store and the actor has access to upload files directly to that store.

Recommendations For versions prior to 0.6.4, update to the 0.6.4 release of @backstage/techdocs-common to patch the vulnerability. As a temporary workaround, consider restricting access to the TechDocs API to minimize the risk of exploitation. Additionally, review internal code review processes and TechDocs deployment methods to limit the ability to upload malicious content.