CVE-2021-32661

Name of the Vulnerable Software and Affected Versions @backstage/plugin-techdocs versions prior to 0.9.5

Description A malicious internal actor can potentially upload documentation content with malicious scripts by embedding the script within an object element. This may give access to sensitive data when other users visit that same documentation page. The ability to upload malicious content may be limited by internal code review processes, unless the chosen TechDocs deployment method is to use an object store and the actor has access to upload files directly to that store.

Recommendations For versions prior to 0.9.5, update to the 0.9.5 release of @backstage/plugin-techdocs to patch the vulnerability. As a temporary workaround, consider restricting access to upload files directly to the object store and implementing strict internal code review processes to minimize the risk of exploitation.