Lucene search

K

Backstage Security Vulnerabilities

cve
cve

CVE-2024-26150

@backstage/backend-common is a common functionality library for backends for Backstage, an open platform for building developer portals. In @backstage/backend-common prior to versions 0.21.1, 0.20.2, and 0.19.10, paths checks with the resolveSafeChildPath utility were not exhaustive enough,...

8.7CVSS

8.5AI Score

0.0004EPSS

2024-02-23 04:15 PM
53
cve
cve

CVE-2023-25571

Backstage is an open platform for building developer portals. @backstage/catalog-model prior to version 1.2.0, @backstage/core-components prior to 0.12.4, and @backstage/plugin-catalog-backend prior to 1.7.2 are affected by a cross-site scripting vulnerability. This vulnerability allows a...

6.8CVSS

5.1AI Score

0.001EPSS

2023-02-14 06:15 PM
20
cve
cve

CVE-2023-35926

Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been vm2, but in light of several past vulnerabilities and.....

9.9CVSS

9.9AI Score

0.003EPSS

2023-06-22 02:15 PM
27
cve
cve

CVE-2021-43783

@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. In affected versions a malicious actor with write access to a registered scaffolder template is able to manipulate the template in a way that writes files to arbitrary paths on the scaffolder-backend.....

8.5CVSS

8.2AI Score

0.001EPSS

2021-11-29 08:15 PM
20
cve
cve

CVE-2021-43776

Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other.....

7.4CVSS

5.9AI Score

0.001EPSS

2021-11-26 07:15 PM
18
cve
cve

CVE-2021-41151

Backstage is an open platform for building developer portals. In affected versions A malicious actor could read sensitive files from the environment where Scaffolder Tasks are run. The attack is executed by crafting a custom Scaffolder template with a github:publish:pull-request action and a...

6.8CVSS

4.8AI Score

0.001EPSS

2021-10-18 09:15 PM
29
cve
cve

CVE-2021-32662

Backstage is an open platform for building developer portals, and techdocs-common contains common functionalities for Backstage's TechDocs. In @backstage/techdocs-common versions prior to 0.6.3, a malicious actor could read sensitive files from the environment where TechDocs documentation is built....

6.5CVSS

6.2AI Score

0.001EPSS

2021-06-03 10:15 PM
53
4
cve
cve

CVE-2021-32661

Backstage is an open platform for building developer portals. In versions of Backstage's Techdocs Plugin (@backstage/plugin-techdocs) prior to 0.9.5, a malicious internal actor can potentially upload documentation content with malicious scripts by embedding the script within an object element....

7.3CVSS

7.1AI Score

0.002EPSS

2021-06-03 06:15 PM
40
cve
cve

CVE-2021-32660

Backstage is an open platform for building developer portals, and techdocs-common contains common functionalities for Backstage's TechDocs. In versions of @backstage/tehdocs-common prior to 0.6.4, a malicious internal actor is able to upload documentation content with malicious scripts. These...

8.1CVSS

8AI Score

0.002EPSS

2021-06-03 05:15 PM
36