CVE-2024-41709 — Cross-site Scripting in Backdrop

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

4.8MEDIUMNVD

EPSS

0.3%

top 43.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Backdropcms Backdrop Backdrop

Timeline

PublishedJul 22

Description

Backdrop CMS before 1.27.3 and 1.28.x before 1.28.2 does not sufficiently sanitize field labels before they are displayed in certain places. This vulnerability is mitigated by the fact that an attacker must have a role with the "administer fields" permission.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

▶Packagistbackdrop/backdrop1.28.0 — 1.28.2+1

▶NVDbackdropcms/backdrop1.27.0 — 1.27.3+1

🔴Vulnerability Details

CVEList

CVE-2024-41709: Backdrop CMS before 1↗2024-07-22

▶

OSV

Backdrop CMS does not sufficiently sanitize field labels before they are displayed in certain places↗2024-07-22

▶

GHSA

Backdrop CMS does not sufficiently sanitize field labels before they are displayed in certain places↗2024-07-22

▶