GHSA-3wmx-48g3-x66g

Source

https://github.com/advisories/GHSA-3wmx-48g3-x66g

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-3wmx-48g3-x66g/GHSA-3wmx-48g3-x66g.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3wmx-48g3-x66g

Aliases

CVE-2024-41709

Published

2024-07-22T06:31:08Z

Modified

2024-07-25T18:26:55.694986Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
4.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

Backdrop CMS does not sufficiently sanitize field labels before they are displayed in certain places

Details

Backdrop CMS before 1.27.3 and 1.28.x before 1.28.2 does not sufficiently sanitize field labels before they are displayed in certain places. This vulnerability is mitigated by the fact that an attacker must have a role with the "administer fields" permission.

References

Affected packages

Packagist / backdrop/backdrop

Package

Name: backdrop/backdrop
Purl: pkg:composer/backdrop/backdrop

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.27.3

Affected versions

1.*

1.13.2-rc1

1.13.2-rc2

1.17.3

1.18.3

1.19.1

1.20.3

1.21.0

1.21.1

1.21.3

1.21.4

1.22.1

1.22.2

1.27.0

Packagist / backdrop/backdrop

Package

Name: backdrop/backdrop
Purl: pkg:composer/backdrop/backdrop

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.28.0

Fixed

1.28.2

Affected versions

1.*

1.28.0