Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

  1. Reconshell
  2. Vulnerabilities (CVE)
Filtered by vendor Backdropcms Subscribe
Filtered by product Backdrop
Total 6 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-42097 1 Backdropcms 1 Backdrop 2022-11-23 N/A 4.8 MEDIUM
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via 'Comment.' .
CVE-2022-42094 1 Backdropcms 1 Backdrop 2022-11-23 N/A 4.8 MEDIUM
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the 'Card' content.
CVE-2019-11358 10 Backdropcms, Debian, Drupal and 7 more 104 Backdrop, Debian Linux, Drupal and 101 more 2022-04-06 4.3 MEDIUM 6.1 MEDIUM
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CVE-2022-24590 1 Backdropcms 1 Backdrop 2022-02-22 3.5 LOW 5.4 MEDIUM
A stored cross-site scripting (XSS) vulnerability in the Add Link function of BackdropCMS v1.21.1 allows attackers to execute arbitrary web scripts or HTML.
CVE-2021-45268 1 Backdropcms 1 Backdrop 2022-02-09 6.8 MEDIUM 8.8 HIGH
** DISPUTED ** A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, which allows Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file. NOTE: the vendor disputes this because the attack requires a session cookie of a high-privileged authenticated user who is entitled to install arbitrary add-ons.
CVE-2019-14769 1 Backdropcms 1 Backdrop 2019-08-15 4.3 MEDIUM 6.1 MEDIUM
Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 doesn't sufficiently filter output when displaying certain block labels created by administrators. An attacker could potentially craft a specialized label, then have an administrator execute scripting when administering a layout. (This issue is mitigated by the attacker needing permission to create custom blocks on the site, which is typically an administrative permission.)