CVE-2024-41709
MEDIUM4.8EPSS 0.34%Backdrop CMS does not sufficiently sanitize field labels before they are displayed in certain places
發布日:2024/7/22修改日:2025/3/21
描述
Backdrop CMS before 1.27.3 and 1.28.x before 1.28.2 does not sufficiently sanitize field labels before they are displayed in certain places. This vulnerability is mitigated by the fact that an attacker must have a role with the "administer fields" permission.
受影響套件(1)
- Packagist/backdrop/backdropfrom 0, < 1.27.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| osv | CVSS 3.1 | MEDIUM4.8 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-41709
- PATCHhttps://github.com/backdrop-ops/backdrop-composer
- WEBhttps://backdropcms.org/security/backdrop-sa-core-2024-001
- WEBhttps://github.com/backdrop/backdrop/commit/c7ff0500705668e3f58263590812872e44059301
- WEBhttps://github.com/backdrop/backdrop/commit/f1dfe710c186fb47c9d949f01f37e5ab42b44030