CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-31045
https://notcve.org/view.php?id=CVE-2023-31045
A stored Cross-site scripting (XSS) issue in Text Editors and Formats in Backdrop CMS before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via the name parameter. When a user is editing any content type (e.g., page, post, or card) as an admin, the stored XSS payload is executed upon selecting a malicious text formatting option. NOTE: the vendor disputes the security relevance of this finding because "any administrator that can configure a text format could easily allow Full HTML anywhere." • https://github.com/backdrop/backdrop-issues/issues/6065 https://github.com/backdrop/backdrop/releases/tag/1.24.2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 2CVE-2022-42094
https://notcve.org/view.php?id=CVE-2022-42094
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the 'Card' content. Se descubrió que la versión 1.23.0 de Background CMS contenía una vulnerabilidad de Cross-Site Scripting (XSS) almacenada a través del contenido 'Card'. • https://github.com/bypazs/CVE-2022-42094 https://backdropcms.org https://github.com/backdrop/backdrop/releases/tag/1.23.0 https://grimthereaperteam.medium.com/cve-2022-42094-backdrop-xss-at-cards-84266b5250f1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 2CVE-2022-42097
https://notcve.org/view.php?id=CVE-2022-42097
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via 'Comment.' . Se descubrió que la versión 1.23.0 de Background CMS contiene una vulnerabilidad de Cross-Site Scripting (XSS) Almacenado a través de 'Comment.'. • https://github.com/bypazs/CVE-2022-42097 https://backdropcms.org https://github.com/backdrop/backdrop/releases/tag/1.23.0 https://grimthereaperteam.medium.com/cve-2022-42097-backdrop-xss-at-comments-2ea536ec55e1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2022-24590
https://notcve.org/view.php?id=CVE-2022-24590
A stored cross-site scripting (XSS) vulnerability in the Add Link function of BackdropCMS v1.21.1 allows attackers to execute arbitrary web scripts or HTML. Una vulnerabilidad de tipo cross-site scripting (XSS) almacenada en la función Add Link de BackdropCMS versión v1.21.1, permite a atacantes ejecutar scripts web o HTML arbitrarios • https://github.com/Nguyen-Trung-Kien/CVE https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24590/CVE-2022-24590.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-45268
https://notcve.org/view.php?id=CVE-2021-45268
A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, which allows Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file. NOTE: the vendor disputes this because the attack requires a session cookie of a high-privileged authenticated user who is entitled to install arbitrary add-ons ** EN DISPUTA ** Se presenta una vulnerabilidad de tipo Cross Site Request Forgery (CSRF) en Backdrop CMS versión 1.20, que permite a atacantes remotos conseguir una ejecución de código remota (RCE) en el servidor web de alojamiento por medio de la carga de un complemento malicioso con un archivo PHP diseñado. NOTA: el proveedor disputa esto porque el ataque requiere una cookie de sesión de un usuario autenticado con alto privilegio que tiene derecho a instalar complementos arbitrarios • https://github.com/V1n1v131r4/CSRF-to-RCE-on-Backdrop-CMS https://www.exploit-db.com/exploits/50323 • CWE-352: Cross-Site Request Forgery (CSRF) •