#VU30510 Cross-site scripting in Backdrop CMS - CVE-2019-19901

Cybersecurity Help s.r.o.

Published: 2019-12-19 | Updated: 2020-07-17

Vulnerability identifier: #VU30510

Vulnerability risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-19901

CWE-ID: CWE-79

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Backdrop CMS
Web applications / CMS

Vendor: Backdrop CMS

Description

The vulnerability allows a remote privileged user to read and manipulate data.

An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying certain block descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute scripting when configuring a layout, aka XSS. This issue is mitigated by the fact that the attacker would be required to have the permission to create custom blocks, which is typically an administrative task.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Backdrop CMS: 1.14.0 - 1.14.1

External links
https://backdropcms.org/security/backdrop-sa-core-2019-013

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Backdrop CMS