CVE-2021-43776

Name of the Vulnerable Software and Affected Versions: @backstage/plugin-auth-backend versions prior to 0.4.9

Description: The auth-backend plugin in Backstage allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack, potentially allowing the attacker to exfiltrate access tokens or other secrets from the user's browser. The default Content Security Policy (CSP) prevents this attack, but some deployments may have these policies disabled due to incompatibilities.

Recommendations: For versions prior to 0.4.9, update to version 0.4.9 of @backstage/plugin-auth-backend to patch the vulnerability. As a temporary workaround, consider restricting access to the auth-backend plugin until the update is applied. Additionally, review and ensure that Content Security Policy (CSP) is enabled and properly configured to minimize the risk of exploitation.