Vulnerability Details CVE-2019-19900
An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying content type names in the content creation interface. An attacker could potentially craft a specialized content type name, then have an editor execute scripting when creating content, aka XSS. This vulnerability is mitigated by the fact that an attacker must have a role with the "Administer content types" permission.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 60.8%
CVSS Severity
CVSS v3 Score 4.8
CVSS v2 Score 3.5
References
Products affected by CVE-2019-19900
-
cpe:2.3:a:backdropcms:backdrop_cms:1.13.0
-
cpe:2.3:a:backdropcms:backdrop_cms:1.13.1
-
cpe:2.3:a:backdropcms:backdrop_cms:1.13.2
-
cpe:2.3:a:backdropcms:backdrop_cms:1.13.3
-
cpe:2.3:a:backdropcms:backdrop_cms:1.13.4
-
cpe:2.3:a:backdropcms:backdrop_cms:1.14.0
-
cpe:2.3:a:backdropcms:backdrop_cms:1.14.1