Backdrop Security Vulnerabilities and Issues — Backdrop CVE List

Lucene search

BackdropcmsBackdrop

11 matches found

CVE•added 2019/04/20 12:29 a.m.•2191 views

CVE-2019-11358

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

6.1CVSS6.4AI score0.02394EPSS

CVE•added 2019/08/08 2:15 a.m.•90 views

CVE-2019-14769

Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 doesn't sufficiently filter output when displaying certain block labels created by administrators. An attacker could potentially craft a specialized label, then have an administrator execute scripting when administering a layout. (This issu...

6.1CVSS6AI score0.00317EPSS

CVE•added 2022/02/15 4:15 p.m.•75 views

CVE-2022-24590

A stored cross-site scripting (XSS) vulnerability in the Add Link function of BackdropCMS v1.21.1 allows attackers to execute arbitrary web scripts or HTML.

5.4CVSS5.3AI score0.00195EPSS

CVE•added 2022/11/22 1:15 p.m.•68 views

CVE-2022-42097

Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via 'Comment.' .

4.8CVSS4.8AI score0.00393EPSS

CVE•added 2022/11/22 1:15 p.m.•64 views

CVE-2022-42094

Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the 'Card' content.

4.8CVSS4.8AI score0.17366EPSS

CVE•added 2025/02/03 4:15 a.m.•57 views

CVE-2025-25062

An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It doesn't sufficiently isolate long text content when the CKEditor 5 rich text editor is used. This allows a potential attacker to craft specialized HTML and JavaScript that may be executed when an administr...

4.4CVSS5.8AI score0.25298EPSS

CVE•added 2022/02/03 10:15 p.m.•55 views

CVE-2021-45268

A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, which allows Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file. NOTE: the vendor disputes this because the attack requires a session co...

8.8CVSS9.1AI score0.00307EPSS

CVE•added 2023/04/24 8:15 a.m.•51 views

CVE-2023-31045

A stored Cross-site scripting (XSS) issue in Text Editors and Formats in Backdrop CMS before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via the name parameter. When a user is editing any content type (e.g., page, post, or card) as an admin, the stored XSS payload is execu...

4.8CVSS4.9AI score0.00089EPSS

CVE•added 2024/07/22 6:15 a.m.•45 views

CVE-2024-41709

Backdrop CMS before 1.27.3 and 1.28.x before 1.28.2 does not sufficiently sanitize field labels before they are displayed in certain places. This vulnerability is mitigated by the fact that an attacker must have a role with the "administer fields" permission.

6.1CVSS7AI score0.00186EPSS

CVE•added 2025/02/03 4:15 a.m.•42 views

CVE-2025-25063

An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It does not sufficiently validate uploaded SVG images to ensure they do not contain potentially dangerous SVG tags. SVG images can contain clickable links and executable scripting, and using a crafted SVG, it...

4.4CVSS5.7AI score0.00034EPSS

CVE•added 2025/06/26 4:15 p.m.•5 views

CVE-2025-44141

A Cross-Site Scripting (XSS) vulnerability exists in the node creation form of Backdrop CMS 1.30.

6.1CVSS6AI score0.00031EPSS