CVE-2024-46976

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions: @backstage/plugin-techdocs-backend versions prior to 1.10.13

Description: The issue allows an attacker with control of the TechDocs storage buckets to inject executable scripts in the TechDocs content. These scripts will be executed in the victim's browser when browsing documentation or navigating to an attacker-provided link. This can lead to cross-site scripting attacks.

Recommendations: For versions prior to 1.10.13, upgrade to the 1.10.13 release of the @backstage/plugin-techdocs-backend package to fix the issue. As a temporary workaround, consider restricting access to the TechDocs content to minimize the risk of exploitation.

Exploit

Fix

Protection Mechanism Failure

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-693CWE-79

Related Identifiers

BDU:2024-11516

CVE-2024-46976

GHSA-5J94-F3MF-8685

Affected Products

@Backstage/Plugin-Techdocs-Backend

CVE-2024-46976

Weakness Enumeration

Related Identifiers

Affected Products

References · 13