CVE-2023-31045

Name of the Vulnerable Software and Affected Versions Backdrop CMS versions prior to 1.24.2

Description A stored Cross-site scripting (XSS) issue in Text Editors and Formats allows remote attackers to inject arbitrary web script or HTML via the name parameter. When a user is editing any content type as an admin, the stored XSS payload is executed upon selecting a malicious text formatting option. The vendor disputes the security relevance of this finding.

Recommendations For Backdrop CMS versions prior to 1.24.2, update to version 1.24.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the text formatting options to minimize the risk of exploitation. Avoid using the name parameter in the affected text editing functionality until the issue is resolved.