Cross-site scripting in Backdrop CMS - CVE-2019-19900
Published: December 19, 2019 / Updated: July 17, 2020
Vulnerability identifier: #VU30509
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-19900
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Backdrop CMS
Affected software:
Backdrop CMS
Backdrop CMS
Detailed vulnerability description
The vulnerability allows a remote privileged user to read and manipulate data.
An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying content type names in the content creation interface. An attacker could potentially craft a specialized content type name, then have an editor execute scripting when creating content, aka XSS. This vulnerability is mitigated by the fact that an attacker must have a role with the "Administer content types" permission.
How to mitigate CVE-2019-19900
Install update from vendor's website.