Lucene search

GitHub Advisory DatabaseGHSA-3WMX-48G3-X66G

HistoryJul 22, 2024 - 6:31 a.m.

Backdrop CMS does not sufficiently sanitize field labels before they are displayed in certain places

2024-07-2206:31:08

CWE-79

GitHub Advisory Database

github.com

backdrop cms

vulnerability

field labels

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

AI Score

6.8

Confidence

High

EPSS

Percentile

14.5%

JSON

Backdrop CMS before 1.27.3 and 1.28.x before 1.28.2 does not sufficiently sanitize field labels before they are displayed in certain places. This vulnerability is mitigated by the fact that an attacker must have a role with the “administer fields” permission.

Affected configurations

Vulners

Node

backdropbackdropRange1.28.0–1.28.2

backdropbackdropRange<1.27.3

VendorProductVersionCPE
backdropbackdrop*cpe:2.3:a:backdrop:backdrop:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
backdrop	backdrop	*	cpe:2.3:a:backdrop:backdrop::::::::

References

backdropcms.org/security/backdrop-sa-core-2024-001

github.com/advisories/GHSA-3wmx-48g3-x66g

github.com/backdrop/backdrop/commit/c7ff0500705668e3f58263590812872e44059301

github.com/backdrop/backdrop/commit/f1dfe710c186fb47c9d949f01f37e5ab42b44030

nvd.nist.gov/vuln/detail/CVE-2024-41709