CVE-2019-14770: XSS
First published: Thu Aug 08 2019(Updated: )
In Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3, some menu links within the administration bar may be crafted to execute JavaScript when the administrator is logged in and uses the search functionality. (This issue is mitigated by the attacker needing permissions to create administrative menu links, such as by creating a content type or layout. Such permissions are usually restricted to trusted or administrative users.)
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Backdrop CMS | >=1.12.0<1.12.8 | |
| Backdrop CMS | >=1.13.0<1.13.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this issue?
The vulnerability ID of this issue is CVE-2019-14770.
What is the severity of CVE-2019-14770?
The severity of CVE-2019-14770 is medium (6.1).
Which version of Backdrop CMS is affected by CVE-2019-14770?
Backdrop CMS versions 1.12.x before 1.12.8 and 1.13.x before 1.13.3 are affected by CVE-2019-14770.
How does CVE-2019-14770 affect the administration bar in Backdrop CMS?
CVE-2019-14770 allows crafted menu links within the administration bar to execute JavaScript when the administrator is logged in and uses the search functionality.
Is there a mitigation for CVE-2019-14770?
The issue is partially mitigated by requiring the attacker to have permissions to create administrative menu links.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/severity
- agent/author
- agent/weakness
- agent/last-modified-date
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/backdropcms
- canonical/backdrop cms
- version/backdrop cms/1.12.0
- version/backdrop cms/1.13.0