A stored Cross-site scripting (XSS) issue in Text Editors and Formats in Backdrop CMS before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via the name parameter. When a user is editing any content type (e.g., page, post, or card) as an admin, the stored XSS payload is...
4.8CVSS
4.8AI Score
0.001EPSS
Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 allows the upload of entire-site configuration archives through the user interface or command line. It does not sufficiently check uploaded archives for invalid data, potentially allowing non-configuration scripts to be uploaded to the...
9.8CVSS
9.5AI Score
0.005EPSS
Backdrop CMS 1.22.0 has Unrestricted File Upload vulnerability via 'themes' that allows attackers to Remote Code Execution. Note: Third parties dispute this and argue that advanced permissions are...
7.2CVSS
7.1AI Score
0.004EPSS
A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, which allows Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file. NOTE: the vendor disputes this because the attack requires a session...
8.8CVSS
9.2AI Score
0.009EPSS
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native...
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Page...
4.8CVSS
4.9AI Score
0.004EPSS
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via Post...
4.8CVSS
4.9AI Score
0.007EPSS
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the 'Card'...
4.8CVSS
4.9AI Score
0.009EPSS
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via 'Comment.'...
4.8CVSS
4.9AI Score
0.001EPSS
An issue in the login and reset password functionality of Backdrop CMS v1.22.0 allows attackers to enumerate usernames via password reset requests and distinct responses returned based on...
5.3CVSS
5.4AI Score
0.001EPSS
A stored cross-site scripting (XSS) vulnerability in the Add Link function of BackdropCMS v1.21.1 allows attackers to execute arbitrary web scripts or...
5.4CVSS
5.4AI Score
0.001EPSS
An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying content type names in the content creation interface. An attacker could potentially craft a specialized content type name, then have an editor execute...
4.8CVSS
6.9AI Score
0.001EPSS
An issue was discovered in Backdrop CMS 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying file type descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute scripting when viewing the list of....
4.8CVSS
7AI Score
0.001EPSS
An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying certain block descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute...
4.8CVSS
6.8AI Score
0.001EPSS
An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It allows the upload of entire-site configuration archives through the user interface or command line. It does not sufficiently check uploaded archives for invalid data, allowing non-configuration scripts to...
7.2CVSS
7.3AI Score
0.001EPSS
In Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3, some menu links within the administration bar may be crafted to execute JavaScript when the administrator is logged in and uses the search functionality. (This issue is mitigated by the attacker needing permissions to create...
6.1CVSS
7.5AI Score
0.001EPSS
Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 doesn't sufficiently filter output when displaying certain block labels created by administrators. An attacker could potentially craft a specialized label, then have an administrator execute scripting when administering a layout. (This...
6.1CVSS
6.9AI Score
0.001EPSS
Backdrop CMS version 1.11.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in Sanitization of custom class names used on blocks and layouts. that can result in Execution of JavaScript from an unexpected source.. This attack appear to be exploitable via A user must be directed to...
4.8CVSS
6.4AI Score
0.001EPSS