#VU30828 Cross-site scripting in Backdrop CMS - CVE-2019-14769

Cybersecurity Help s.r.o.

Published: 2019-08-08 | Updated: 2020-07-17

Vulnerability identifier: #VU30828

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-14769

CWE-ID: CWE-79

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Backdrop CMS
Web applications / CMS

Vendor: Backdrop CMS

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 doesn't sufficiently filter output when displaying certain block labels created by administrators. An attacker could potentially craft a specialized label, then have an administrator execute scripting when administering a layout. (This issue is mitigated by the attacker needing permission to create custom blocks on the site, which is typically an administrative permission.)

Mitigation
Install update from vendor's website.

Vulnerable software versions

Backdrop CMS: 1.13.0 - 1.13.2

External links
https://backdropcms.org/security/backdrop-sa-core-2019-011

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Backdrop CMS