Total
7 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-31045 | 1 Backdropcms | 1 Backdrop | 2024-04-11 | N/A | 4.8 MEDIUM |
A stored Cross-site scripting (XSS) issue in Text Editors and Formats in Backdrop CMS before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via the name parameter. When a user is editing any content type (e.g., page, post, or card) as an admin, the stored XSS payload is executed upon selecting a malicious text formatting option. NOTE: the vendor disputes the security relevance of this finding because "any administrator that can configure a text format could easily allow Full HTML anywhere." | |||||
CVE-2021-45268 | 1 Backdropcms | 1 Backdrop | 2024-04-11 | 6.8 MEDIUM | 8.8 HIGH |
A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, which allows Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file. NOTE: the vendor disputes this because the attack requires a session cookie of a high-privileged authenticated user who is entitled to install arbitrary add-ons | |||||
CVE-2019-11358 | 11 Backdropcms, Debian, Drupal and 8 more | 105 Backdrop, Debian Linux, Drupal and 102 more | 2024-02-16 | 4.3 MEDIUM | 6.1 MEDIUM |
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. | |||||
CVE-2022-42097 | 1 Backdropcms | 1 Backdrop | 2023-12-10 | N/A | 4.8 MEDIUM |
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via 'Comment.' . | |||||
CVE-2022-42094 | 1 Backdropcms | 1 Backdrop | 2023-12-10 | N/A | 4.8 MEDIUM |
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the 'Card' content. | |||||
CVE-2022-24590 | 1 Backdropcms | 1 Backdrop | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability in the Add Link function of BackdropCMS v1.21.1 allows attackers to execute arbitrary web scripts or HTML. | |||||
CVE-2019-14769 | 1 Backdropcms | 1 Backdrop | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 doesn't sufficiently filter output when displaying certain block labels created by administrators. An attacker could potentially craft a specialized label, then have an administrator execute scripting when administering a layout. (This issue is mitigated by the attacker needing permission to create custom blocks on the site, which is typically an administrative permission.) |