4 matches found
Script injection
Impact A malicious internal actor is able to upload documentation content with malicious scripts. These scripts would normally be sanitized by the TechDocs frontend, but by tricking a user to visit the content via the TechDocs API, the content sanitazion will be bypassed. If the TechDocs API is...
GHSA-PWHF-39XG-4RXW Script injection
Impact A malicious internal actor is able to upload documentation content with malicious scripts. These scripts would normally be sanitized by the TechDocs frontend, but by tricking a user to visit the content via the TechDocs API, the content sanitazion will be bypassed. If the TechDocs API is...
Information Disclosure
@backstage/techdocs-common is vulnerable to information disclosure. An attacker is able bypass sanitization by uploading documentation content with malicious scripts that would normally be sanitized by the TechDocs frontend, but by tricking a user to visit the content via the TechDocs API, the...
CVE-2021-32660 TechDocs content sanitization bypass
Backstage is an open platform for building developer portals, and techdocs-common contains common functionalities for Backstage's TechDocs. In versions of @backstage/tehdocs-common prior to 0.6.4, a malicious internal actor is able to upload documentation content with malicious scripts. These...