Backdropcms Backdrop
By the Year
In 2024 there have been 1 vulnerability in Backdropcms Backdrop with an average score of 4.8 out of ten. Last year Backdrop had 1 security vulnerability published. At the current rates, it appears that the number of vulnerabilities last year and this year may equal out. Interestingly, the average vulnerability score and the number of vulnerabilities for 2024 and last year was the same.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 1 | 4.80 |
| 2023 | 1 | 4.80 |
| 2022 | 4 | 5.95 |
| 2021 | 0 | 0.00 |
| 2020 | 0 | 0.00 |
| 2019 | 2 | 6.10 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Backdrop vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Backdropcms Backdrop Security Vulnerabilities
Backdrop CMS before 1.27.3 and 1.28.x before 1.28.2 does not sufficiently sanitize field labels before they are displayed in certain places
CVE-2024-41709
4.8 - Medium
- July 22, 2024
Backdrop CMS before 1.27.3 and 1.28.x before 1.28.2 does not sufficiently sanitize field labels before they are displayed in certain places. This vulnerability is mitigated by the fact that an attacker must have a role with the "administer fields" permission.
XSS
A stored Cross-site scripting (XSS) issue in Text Editors and Formats in Backdrop CMS before 1.24.2
CVE-2023-31045
4.8 - Medium
- April 24, 2023
A stored Cross-site scripting (XSS) issue in Text Editors and Formats in Backdrop CMS before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via the name parameter. When a user is editing any content type (e.g., page, post, or card) as an admin, the stored XSS payload is executed upon selecting a malicious text formatting option. NOTE: the vendor disputes the security relevance of this finding because "any administrator that can configure a text format could easily allow Full HTML anywhere."
XSS
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via 'Comment
CVE-2022-42097
4.8 - Medium
- November 22, 2022
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via 'Comment.' .
XSS
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability
CVE-2022-42094
4.8 - Medium
- November 22, 2022
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the 'Card' content.
XSS
A stored cross-site scripting (XSS) vulnerability in the Add Link function of BackdropCMS v1.21.1
CVE-2022-24590
5.4 - Medium
- February 15, 2022
A stored cross-site scripting (XSS) vulnerability in the Add Link function of BackdropCMS v1.21.1 allows attackers to execute arbitrary web scripts or HTML.
XSS
A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, which
CVE-2021-45268
8.8 - High
- February 03, 2022
A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, which allows Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file. NOTE: the vendor disputes this because the attack requires a session cookie of a high-privileged authenticated user who is entitled to install arbitrary add-ons
Session Riding
Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 doesn't sufficiently filter output when displaying certain block labels created by administrators
CVE-2019-14769
6.1 - Medium
- August 08, 2019
Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 doesn't sufficiently filter output when displaying certain block labels created by administrators. An attacker could potentially craft a specialized label, then have an administrator execute scripting when administering a layout. (This issue is mitigated by the attacker needing permission to create custom blocks on the site, which is typically an administrative permission.)
XSS
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {},
CVE-2019-11358
6.1 - Medium
- April 20, 2019
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Prototype Pollution
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Juniper Networks Junos or by Backdropcms? Click the Watch button to subscribe.
