CVE-2019-14770 - OpenCVE

In Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3, some menu links within the administration bar may be crafted to execute JavaScript when the administrator is logged in and uses the search functionality. (This issue is mitigated by the attacker needing permissions to create administrative menu links, such as by creating a content type or layout. Such permissions are usually restricted to trusted or administrative users.)

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Backdropcms	Backdrop Core

Configuration 1 [-]

OR	cpe:2.3:a:backdropcms:backdrop_core::::::::
	cpe:2.3:a:backdropcms:backdrop_core::::::::

No data.

References

Link	Providers
https://backdropcms.org/security/backdrop-sa-core-2019-010

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-08-08T01:36:04

Updated: 2024-08-05T00:26:38.687Z

Reserved: 2019-08-07T00:00:00

Link: CVE-2019-14770

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-08-08T02:15:11.100

Modified: 2019-08-16T14:07:03.343

Link: CVE-2019-14770

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3, some menu links within the administration bar may be crafted to execute JavaScript when the administrator is logged in and uses the search functionality. (This issue is mitigated by the attacker needing permissions to create administrative menu links, such as by creating a content type or layout. Such permissions are usually restricted to trusted or administrative users.)"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-08-08T01:36:04", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://backdropcms.org/security/backdrop-sa-core-2019-010"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-14770", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3, some menu links within the administration bar may be crafted to execute JavaScript when the administrator is logged in and uses the search functionality. (This issue is mitigated by the attacker needing permissions to create administrative menu links, such as by creating a content type or layout. Such permissions are usually restricted to trusted or administrative users.)"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://backdropcms.org/security/backdrop-sa-core-2019-010", "refsource": "MISC", "url": "https://backdropcms.org/security/backdrop-sa-core-2019-010"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T00:26:38.687Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://backdropcms.org/security/backdrop-sa-core-2019-010"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-14770", "datePublished": "2019-08-08T01:36:04", "dateReserved": "2019-08-07T00:00:00", "dateUpdated": "2024-08-05T00:26:38.687Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:backdropcms:backdrop_core:*:*:*:*:*:*:*:*", "matchCriteriaId": "2DD13689-CB4A-423E-9E68-FFDCF102623D", "versionEndExcluding": "1.12.8", "versionStartIncluding": "1.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:backdropcms:backdrop_core:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F448765-5F16-4C90-B248-3F6D75C86661", "versionEndExcluding": "1.13.3", "versionStartIncluding": "1.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3, some menu links within the administration bar may be crafted to execute JavaScript when the administrator is logged in and uses the search functionality. (This issue is mitigated by the attacker needing permissions to create administrative menu links, such as by creating a content type or layout. Such permissions are usually restricted to trusted or administrative users.)"}, {"lang": "es", "value": "En CMS de Backdrop versiones 1.12.x anteriores a 1.12.8 y versiones 1.13.x anteriores a 1.13.3, algunos enlaces de men\u00fa dentro de la barra de administraci\u00f3n pueden ser dise\u00f1ados para ejecutar JavaScript cuando el administrador inicia sesi\u00f3n y usa la funcionalidad search. (Este problema es mitigado por el atacante necesitando permisos para crear enlaces de men\u00fa administrativo, tal y como la creaci\u00f3n de un tipo de contenido o dise\u00f1o. Tales permisos est\u00e1n restringidos usualmente para usuarios confiables o administrativos)."}], "id": "CVE-2019-14770", "lastModified": "2019-08-16T14:07:03.343", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-08T02:15:11.100", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://backdropcms.org/security/backdrop-sa-core-2019-010"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}