CVE-2024-41709
https://notcve.org/view.php?id=CVE-2024-41709
Backdrop CMS before 1.27.3 and 1.28.x before 1.28.2 does not sufficiently sanitize field labels before they are displayed in certain places. This vulnerability is mitigated by the fact that an attacker must have a role with the "administer fields" permission. Backdrop CMS anterior a 1.27.3 y 1.28.x anterior a 1.28.2 no sanitiza suficientemente las etiquetas de campo antes de que se muestren en ciertos lugares. Esta vulnerabilidad se ve mitigada por el hecho de que un atacante debe tener un rol con permiso de "administer fields". • https://backdropcms.org/security/backdrop-sa-core-2024-001 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-31045
https://notcve.org/view.php?id=CVE-2023-31045
A stored Cross-site scripting (XSS) issue in Text Editors and Formats in Backdrop CMS before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via the name parameter. When a user is editing any content type (e.g., page, post, or card) as an admin, the stored XSS payload is executed upon selecting a malicious text formatting option. NOTE: the vendor disputes the security relevance of this finding because "any administrator that can configure a text format could easily allow Full HTML anywhere." • https://github.com/backdrop/backdrop-issues/issues/6065 https://github.com/backdrop/backdrop/releases/tag/1.24.2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-10004 – backdrop-contrib Basic Cart basic_cart.cart.inc basic_cart_checkout_form_submit cross site scripting
https://notcve.org/view.php?id=CVE-2012-10004
A vulnerability was found in backdrop-contrib Basic Cart on Drupal. It has been classified as problematic. Affected is the function basic_cart_checkout_form_submit of the file basic_cart.cart.inc. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. • https://github.com/backdrop-contrib/basic_cart/commit/a10424ccd4b3b4b433cf33b73c1ad608b11890b4 https://github.com/backdrop-contrib/basic_cart/releases/tag/1.x-1.1.1 https://vuldb.com/?ctiid.217950 https://vuldb.com/?id.217950 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-42095
https://notcve.org/view.php?id=CVE-2022-42095
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Page content. Se descubrió que la versión 1.23.0 de Background CMS contiene una vulnerabilidad de Cross-Site Scripting (XSS) almacenadas a través del contenido de la página. • https://github.com/bypazs/CVE-2022-42095 https://backdropcms.org https://github.com/backdrop/backdrop/releases/tag/1.23.0 https://github.com/bypazs/Declined_backdrop-XSS-at-pAGES https://grimthereaperteam.medium.com/declined-backdrop-xss-at-pages-26e5d63686bc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-42094
https://notcve.org/view.php?id=CVE-2022-42094
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the 'Card' content. Se descubrió que la versión 1.23.0 de Background CMS contenía una vulnerabilidad de Cross-Site Scripting (XSS) almacenada a través del contenido 'Card'. • https://github.com/bypazs/CVE-2022-42094 https://backdropcms.org https://github.com/backdrop/backdrop/releases/tag/1.23.0 https://grimthereaperteam.medium.com/cve-2022-42094-backdrop-xss-at-cards-84266b5250f1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •