GHSA-5J94-F3MF-8685 @backstage/plugin-techdocs-backend vulnerable to circumvention of cross site scripting protection

Impact An attacker with control of the contents of the TechDocs storage buckets is able to inject executable scripts in the TechDocs content that will be executed in the victim's browser when browsing documentation or navigating to an attacker provided link. Patches This has been fixed in the...

@backstage/plugin-techdocs-backend storage bucket Directory Traversal vulnerability

Impact When using the AWS S3 or GCS storage provider for TechDocs it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are not intended to be accessible, as well as bypass permission checks in Backstage. Patches This has been fixed in the 1.10.1...

GHSA-3X3F-JCP3-G22J @backstage/plugin-catalog-backend Prototype Pollution vulnerability

Impact A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. Patches This has been fixed in the 1.26.0 release of the @backstage/plugin-catalog-backend...

GHSA-2FC9-XPP8-2G9H `@backstage/backend-common` vulnerable to path traversal through symlinks

Impact Paths checks with the resolveSafeChildPath utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers. Patches Patched in @backstage/backend-common version 0.21.1. Patched in @backstage/backend-common version 0.20.2. Patch...

Cross-Site Scripting vulnerability in @backstage/plugin-auth-backend

Impact This vulnerability allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other secrets from the user's browser. The default CSP does prevent this attack, but i...

Path Traversal in @backstage/plugin-scaffolder-backend

Impact A malicious actor with write access to a registered scaffolder template is able to manipulate the template in a way that writes files to arbitrary paths on the scaffolder-backend host instance. This vulnerability can in some situation also be exploited through user input when executing a...

Script injection

Impact A malicious internal actor is able to upload documentation content with malicious scripts. These scripts would normally be sanitized by the TechDocs frontend, but by tricking a user to visit the content via the TechDocs API, the content sanitazion will be bypassed. If the TechDocs API is...

Script injection

Impact A malicious internal actor can potentially upload documentation content with malicious scripts by embedding the script within an object element. This may give access to sensitive data when other users visit that same documentation page. The ability to upload malicious content may be limite...

Path traversal

Impact A malicious actor could read sensitive files from the environment where TechDocs documentation is built and published by setting a particular path for docsdir in mkdocs.yml. These files would then be available over the TechDocs backend API. This vulnerability is mitigated by the fact that ...

GHSA-PGF8-28GG-VPR6 Path traversal

Impact A malicious actor could read sensitive files from the environment where TechDocs documentation is built and published by setting a particular path for docsdir in mkdocs.yml. These files would then be available over the TechDocs backend API. This vulnerability is mitigated by the fact that ...