Backdrop Security Vulnerabilities and Issues — Backdrop CVE List

BackdropcmsBackdrop

7 matches found

CVE•added 2019/04/19 12:0 a.m.•2487 views

CVE-2019-11358

CVE-2019-11358 is a prototype pollution vulnerability in jQuery (before 3.4.0) where mishandling of extend(true, {}, ...) can extend Object.prototype if an unsanitized source object has an enumerable proto property. The Core issue is triggered when a polluted prototype is introduced via nested ob...

6.1CVSS6.4AI score0.01532EPSS

In wild

CVE•added 2019/08/08 1:36 a.m.•98 views

CVE-2019-14769

Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 fails to properly filter output for certain administrator-created block labels, allowing an attacker with block-creation/admin rights to craft a label that could trigger scripting during layout administration. A fix is available in 1.12.8...

6.1CVSS6AI score0.00266EPSS

CVE•added 2022/02/15 3:45 p.m.•84 views

CVE-2022-24590

BackdropCMS v1.21.1 is affected by a stored cross-site scripting (XSS) vulnerability in the Add Link function. The root cause is insufficient validation of client-side data, enabling attackers to execute arbitrary web scripts/HTML when the vulnerable entry is processed. Sources corroborate the is...

5.4CVSS5.3AI score0.00206EPSS

CVE•added 2022/11/22 12:0 a.m.•82 views

CVE-2022-42094

CVE-2022-42094 concerns Backdrop CMS, version 1.23.0, with a stored XSS bug in the Card content. The NVD/Nucli-templates describe a stored XSS that could allow an attacker to run arbitrary JavaScript in a victim’s browser, potentially enabling session hijacking, defacement, or theft of informatio...

4.8CVSS4.8AI score0.1249EPSS

CVE•added 2022/11/22 12:0 a.m.•81 views

CVE-2022-42097

Backdrop CMS 1.23.0 contains a stored cross-site scripting (XSS) vulnerability in the Comment feature. The root cause is lack of proper filtering/escaping of user-supplied data. The CVSS metrics indicate a Medium severity (4.8) with network attack vector, high privileges required, and user intera...

4.8CVSS4.8AI score0.00893EPSS

CVE•added 2022/02/03 9:46 p.m.•63 views

CVE-2021-45268

CVE-2021-45268 concerns Backdrop CMS 1.20 with a CSRF vulnerability that can lead to remote code execution on the hosting server by uploading a crafted PHP add-on. The vendor notes the attack requires a high-privileged authenticated user with permission to install add-ons. Multiple sources (NVD, ...

8.8CVSS9.1AI score0.00449EPSS

CVE•added 2024/07/22 12:0 a.m.•53 views

CVE-2024-41709

Backdrop CMS contains an input sanitization flaw in field labels that is triggered when rendering in certain UI paths. Affected versions are 1.27.3 and 1.28.x prior to 1.28.2; exploitation requires a user with the administer fields permission. Remediation: upgrade to Backdrop CMS 1.27.3 or 1.28.2...

6.1CVSS7AI score0.00341EPSS