Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zd214LTQ4ZzMteDY2Z84AA-Ds
Backdrop CMS does not sufficiently sanitize field labels before they are displayed in certain places
Backdrop CMS before 1.27.3 and 1.28.x before 1.28.2 does not sufficiently sanitize field labels before they are displayed in certain places. This vulnerability is mitigated by the fact that an attacker must have a role with the "administer fields" permission.
Permalink: https://github.com/advisories/GHSA-3wmx-48g3-x66gJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zd214LTQ4ZzMteDY2Z84AA-Ds
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 4 months ago
Updated: 4 months ago
CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-3wmx-48g3-x66g, CVE-2024-41709
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-41709
- https://backdropcms.org/security/backdrop-sa-core-2024-001
- https://github.com/backdrop/backdrop/commit/c7ff0500705668e3f58263590812872e44059301
- https://github.com/backdrop/backdrop/commit/f1dfe710c186fb47c9d949f01f37e5ab42b44030
- https://github.com/advisories/GHSA-3wmx-48g3-x66g
Blast Radius: 1.0
Affected Packages
packagist:backdrop/backdrop
Dependent packages: 0Dependent repositories: 0
Downloads: 291 total
Affected Version Ranges: >= 1.28.0, < 1.28.2, < 1.27.3
Fixed in: 1.28.2, 1.27.3
All affected versions: 1.17.3, 1.18.3, 1.19.1, 1.20.3, 1.21.0, 1.21.1, 1.21.3, 1.21.4, 1.22.1, 1.22.2, 1.27.0, 1.28.0
All unaffected versions: 1.29.0