CVE-2019-19900

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-19900

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-19900.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-19900

Published

2019-12-19T06:15:10Z

Modified

2025-01-14T07:53:37.533778Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying content type names in the content creation interface. An attacker could potentially craft a specialized content type name, then have an editor execute scripting when creating content, aka XSS. This vulnerability is mitigated by the fact that an attacker must have a role with the "Administer content types" permission.

References

https://backdropcms.org/security/backdrop-sa-core-2019-014

Affected packages

Git / github.com/backdrop/backdrop

Affected ranges

Type: GIT
Repo: https://github.com/backdrop/backdrop
Events: Introduced

9d7c5d90930b5b21f3183d035e1cfa9471b8827d

Fixed

1836c576fe938b5baec7827832a10a6088dbcd20

Affected versions

1.*

1.13.0

1.13.1

1.13.2

1.13.3

1.13.4