Main Vulnerability Database Vulnerabilities #VU30828

#VU30828 Cross-site scripting in Backdrop CMS - CVE-2019-14769

Published: August 8, 2019 / Updated: July 17, 2020

Vulnerability identifier: #VU30828

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-14769

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Backdrop CMS

Software vendor:
Backdrop CMS

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 doesn't sufficiently filter output when displaying certain block labels created by administrators. An attacker could potentially craft a specialized label, then have an administrator execute scripting when administering a layout. (This issue is mitigated by the attacker needing permission to create custom blocks on the site, which is typically an administrative permission.)

Remediation

Install update from vendor's website.

External links

https://backdropcms.org/security/backdrop-sa-core-2019-011

#VU30828 Cross-site scripting in Backdrop CMS - CVE-2019-14769

Description

Remediation

External links

Please verify you're human