CVE-2021-32660 – TechDocs content sanitization bypass

https://notcve.org/view.php?id=CVE-2021-32660

03 Jun 2021 — Backstage is an open platform for building developer portals, and techdocs-common contains common functionalities for Backstage's TechDocs. In versions of `@backstage/tehdocs-common` prior to 0.6.4, a malicious internal actor is able to upload documentation content with malicious scripts. These scripts would normally be sanitized by the TechDocs frontend, but by tricking a user to visit the content via the TechDocs API, the content sanitazion will be bypassed. If the TechDocs API is hosted on the same origi... • https://github.com/backstage/backstage/commit/aad98c544e59369901fe9e0a85f6357644dceb5c • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •