CVE-2024-41709
https://notcve.org/view.php?id=CVE-2024-41709
Backdrop CMS before 1.27.3 and 1.28.x before 1.28.2 does not sufficiently sanitize field labels before they are displayed in certain places. This vulnerability is mitigated by the fact that an attacker must have a role with the "administer fields" permission. Backdrop CMS anterior a 1.27.3 y 1.28.x anterior a 1.28.2 no sanitiza suficientemente las etiquetas de campo antes de que se muestren en ciertos lugares. Esta vulnerabilidad se ve mitigada por el hecho de que un atacante debe tener un rol con permiso de "administer fields". • https://backdropcms.org/security/backdrop-sa-core-2024-001 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-31045
https://notcve.org/view.php?id=CVE-2023-31045
A stored Cross-site scripting (XSS) issue in Text Editors and Formats in Backdrop CMS before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via the name parameter. When a user is editing any content type (e.g., page, post, or card) as an admin, the stored XSS payload is executed upon selecting a malicious text formatting option. NOTE: the vendor disputes the security relevance of this finding because "any administrator that can configure a text format could easily allow Full HTML anywhere." • https://github.com/backdrop/backdrop-issues/issues/6065 https://github.com/backdrop/backdrop/releases/tag/1.24.2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-42095
https://notcve.org/view.php?id=CVE-2022-42095
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Page content. Se descubrió que la versión 1.23.0 de Background CMS contiene una vulnerabilidad de Cross-Site Scripting (XSS) almacenadas a través del contenido de la página. • https://github.com/bypazs/CVE-2022-42095 https://backdropcms.org https://github.com/backdrop/backdrop/releases/tag/1.23.0 https://github.com/bypazs/Declined_backdrop-XSS-at-pAGES https://grimthereaperteam.medium.com/declined-backdrop-xss-at-pages-26e5d63686bc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-42094
https://notcve.org/view.php?id=CVE-2022-42094
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the 'Card' content. Se descubrió que la versión 1.23.0 de Background CMS contenía una vulnerabilidad de Cross-Site Scripting (XSS) almacenada a través del contenido 'Card'. • https://github.com/bypazs/CVE-2022-42094 https://backdropcms.org https://github.com/backdrop/backdrop/releases/tag/1.23.0 https://grimthereaperteam.medium.com/cve-2022-42094-backdrop-xss-at-cards-84266b5250f1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-42097
https://notcve.org/view.php?id=CVE-2022-42097
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via 'Comment.' . Se descubrió que la versión 1.23.0 de Background CMS contiene una vulnerabilidad de Cross-Site Scripting (XSS) Almacenado a través de 'Comment.'. • https://github.com/bypazs/CVE-2022-42097 https://backdropcms.org https://github.com/backdrop/backdrop/releases/tag/1.23.0 https://grimthereaperteam.medium.com/cve-2022-42097-backdrop-xss-at-comments-2ea536ec55e1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •