CVE-2019-19901

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-19901

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-19901.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2019-19901

Published

2019-12-19T06:15:11Z

Modified

2025-01-08T06:01:54.381687Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying certain block descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute scripting when configuring a layout, aka XSS. This issue is mitigated by the fact that the attacker would be required to have the permission to create custom blocks, which is typically an administrative task.

References

https://backdropcms.org/security/backdrop-sa-core-2019-013

Affected packages

Git / github.com/backdrop/backdrop

Affected ranges

Type: GIT
Repo: https://github.com/backdrop/backdrop
Events: Introduced

9d7c5d90930b5b21f3183d035e1cfa9471b8827d

Fixed

1836c576fe938b5baec7827832a10a6088dbcd20

Affected versions

1.*

1.13.0

1.13.1

1.13.2

1.13.3

1.13.4