CVE-2019-14770

In Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3, some menu links within the administration bar may be crafted to execute JavaScript when the administrator is logged in and uses the search functionality. (This issue is mitigated by the attacker needing permissions to create administrative menu links, such as by creating a content type or layout. Such permissions are usually restricted to trusted or administrative users.)
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 47%
VendorProductVersion
backdropcmsbackdrop_core
1.12.0 ≤
𝑥
< 1.12.8
backdropcmsbackdrop_core
1.13.0 ≤
𝑥
< 1.13.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://backdropcms.org/security/backdrop-sa-core-2019-010
https://backdropcms.org/security/backdrop-sa-core-2019-010