An issue was discovered in Backdrop CMS 1.14.x before 1.14.2. It doesn’t sufficiently filter output when displaying file type descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute scripting when viewing the list of file types, aka XSS. This vulnerability is mitigated by the fact that an attacker must have a role with the “Administer file types” permission.
CPE | Name | Operator | Version |
---|---|---|---|
backdrop_cms | ge | 1.14.0 | |
backdrop_cms | lt | 1.14.2 | |
backdrop_cms | ge | 1.13.0 | |
backdrop_cms | lt | 1.13.5 |