CVE-2019-19900: XSS
First published: Thu Dec 19 2019(Updated: )
An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying content type names in the content creation interface. An attacker could potentially craft a specialized content type name, then have an editor execute scripting when creating content, aka XSS. This vulnerability is mitigated by the fact that an attacker must have a role with the "Administer content types" permission.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Backdrop CMS | >=1.13.0<1.13.5 | |
| Backdrop CMS | >=1.14.0<1.14.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this issue with Backdrop CMS?
The vulnerability ID for this issue with Backdrop CMS is CVE-2019-19900.
What is the severity of CVE-2019-19900?
CVE-2019-19900 has a severity rating of 4.8, which is considered medium.
What is the affected software for CVE-2019-19900?
The affected software for CVE-2019-19900 is Backdrop CMS versions 1.13.x before 1.13.5 and 1.14.x before 1.14.2.
What is the CWE ID for CVE-2019-19900?
The CWE ID for CVE-2019-19900 is CWE-79.
How can the vulnerability CVE-2019-19900 be fixed?
To fix the vulnerability CVE-2019-19900, it is recommended to update Backdrop CMS to version 1.13.5 or 1.14.2.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/severity
- agent/references
- agent/weakness
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/backdropcms
- canonical/backdrop cms
- version/backdrop cms/1.13.0
- version/backdrop cms/1.14.0