Main Vulnerability Database Vulnerabilities #VU23684

#VU23684 Input validation error in Backdrop CMS

Published: December 19, 2019

Vulnerability identifier: #VU23684

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Backdrop CMS

Software vendor:
Backdrop CMS

Description

The vulnerability allows a remote attacker to compromise the affected website.

The vulnerability exists due to insufficient validation of user-supplied archives. A remote authenticated user can upload a specially crafted archive and execute arbitrary code on the server.

This issue is mitigated by the fact that the attacker would be required to have the "Synchronize, import, and export configuration" permission, a permission that only trusted administrators should be given.

Remediation

Install updates from vendor's website.

External links

https://backdropcms.org/security/backdrop-sa-core-2019-016

#VU23684 Input validation error in Backdrop CMS

Description

Remediation

External links

Please verify you're human