CVSS: 4.4EPSS: 20%CPEs: 2EXPL: 2CVE-2025-25062 – Backdrop CMS 1.29.2 Cross Site Scripting / Cross Site Request Forgery
https://notcve.org/view.php?id=CVE-2025-25062
03 Feb 2025 — An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It doesn't sufficiently isolate long text content when the CKEditor 5 rich text editor is used. This allows a potential attacker to craft specialized HTML and JavaScript that may be executed when an administrator attempts to edit a piece of content. This vulnerability is mitigated by the fact that an attacker must have the ability to create long text content (such as through the node or comment forms) and an administr... • https://packetstorm.news/files/id/189006 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.4EPSS: 0%CPEs: 2EXPL: 0CVE-2025-25063
https://notcve.org/view.php?id=CVE-2025-25063
03 Feb 2025 — An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It does not sufficiently validate uploaded SVG images to ensure they do not contain potentially dangerous SVG tags. SVG images can contain clickable links and executable scripting, and using a crafted SVG, it is possible to execute scripting in the browser when an SVG image is viewed. This issue is mitigated by the attacker needing to be able to upload SVG images, and that Backdrop embeds all uploaded SVG images withi... • https://backdropcms.org/security/backdrop-sa-core-2025-002 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-41709
https://notcve.org/view.php?id=CVE-2024-41709
22 Jul 2024 — Backdrop CMS before 1.27.3 and 1.28.x before 1.28.2 does not sufficiently sanitize field labels before they are displayed in certain places. This vulnerability is mitigated by the fact that an attacker must have a role with the "administer fields" permission. Backdrop CMS anterior a 1.27.3 y 1.28.x anterior a 1.28.2 no sanitiza suficientemente las etiquetas de campo antes de que se muestren en ciertos lugares. Esta vulnerabilidad se ve mitigada por el hecho de que un atacante debe tener un rol con permiso d... • https://backdropcms.org/security/backdrop-sa-core-2024-001 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-31045
https://notcve.org/view.php?id=CVE-2023-31045
24 Apr 2023 — A stored Cross-site scripting (XSS) issue in Text Editors and Formats in Backdrop CMS before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via the name parameter. When a user is editing any content type (e.g., page, post, or card) as an admin, the stored XSS payload is executed upon selecting a malicious text formatting option. NOTE: the vendor disputes the security relevance of this finding because "any administrator that can configure a text format could easily allow Full HTML anyw... • https://github.com/backdrop/backdrop-issues/issues/6065 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2012-10004 – backdrop-contrib Basic Cart basic_cart.cart.inc basic_cart_checkout_form_submit cross site scripting
https://notcve.org/view.php?id=CVE-2012-10004
11 Jan 2023 — A vulnerability was found in backdrop-contrib Basic Cart on Drupal. It has been classified as problematic. Affected is the function basic_cart_checkout_form_submit of the file basic_cart.cart.inc. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. • https://github.com/backdrop-contrib/basic_cart/commit/a10424ccd4b3b4b433cf33b73c1ad608b11890b4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 27%CPEs: 1EXPL: 3CVE-2022-42095
https://notcve.org/view.php?id=CVE-2022-42095
23 Nov 2022 — Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Page content. Se descubrió que la versión 1.23.0 de Background CMS contiene una vulnerabilidad de Cross-Site Scripting (XSS) almacenadas a través del contenido de la página. • https://github.com/bypazs/CVE-2022-42095 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 10%CPEs: 1EXPL: 2CVE-2022-42094
https://notcve.org/view.php?id=CVE-2022-42094
22 Nov 2022 — Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the 'Card' content. Se descubrió que la versión 1.23.0 de Background CMS contenía una vulnerabilidad de Cross-Site Scripting (XSS) almacenada a través del contenido 'Card'. • https://github.com/bypazs/CVE-2022-42094 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 2CVE-2022-42097
https://notcve.org/view.php?id=CVE-2022-42097
22 Nov 2022 — Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via 'Comment.' . Se descubrió que la versión 1.23.0 de Background CMS contiene una vulnerabilidad de Cross-Site Scripting (XSS) Almacenado a través de 'Comment.'. • https://github.com/bypazs/CVE-2022-42097 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 5%CPEs: 1EXPL: 2CVE-2022-42096
https://notcve.org/view.php?id=CVE-2022-42096
21 Nov 2022 — Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via Post content. Se descubrió que la versión 1.23.0 de Backdrop CMS contiene una vulnerabilidad de Cross-Site Scripting (XSS) almacenadas a través del contenido de la publicación. • https://github.com/bypazs/CVE-2022-42096 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-42092
https://notcve.org/view.php?id=CVE-2022-42092
07 Oct 2022 — Backdrop CMS 1.22.0 has Unrestricted File Upload vulnerability via 'themes' that allows attackers to Remote Code Execution. Note: Third parties dispute this and argue that advanced permissions are required. Backdrop CMS versión 1.22.0, presenta una vulnerabilidad de carga de archivos sin restricciones por medio de "themes" que permite a atacantes una Ejecución de Código Remota • https://grimthereaperteam.medium.com/backdrop-cms-1-22-0-unrestricted-file-upload-themes-ad42a599561c • CWE-434: Unrestricted Upload of File with Dangerous Type •