Backstage is an open framework for building developer portals. An attacker with control of the contents of the TechDocs storage buckets is able to inject executable scripts in the TechDocs content that will be executed in the victim's browser when browsing documentation or navigating to an attacker provided link. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. users are advised to upgrade. There are no known workarounds for this vulnerability.
Metrics
Affected Vendors & Products
References
History
Wed, 18 Sep 2024 14:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Wed, 18 Sep 2024 01:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
| |
Metrics |
threat_severity
|
threat_severity
|
Tue, 17 Sep 2024 20:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Backstage is an open framework for building developer portals. An attacker with control of the contents of the TechDocs storage buckets is able to inject executable scripts in the TechDocs content that will be executed in the victim's browser when browsing documentation or navigating to an attacker provided link. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. users are advised to upgrade. There are no known workarounds for this vulnerability. | |
Title | Circumvention of cross site scripting Protection in @backstage/plugin-techdocs-backend | |
Weaknesses | CWE-693 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-09-17T20:12:35.332Z
Updated: 2024-09-18T13:47:17.911Z
Reserved: 2024-09-16T16:10:09.017Z
Link: CVE-2024-46976
Vulnrichment
Updated: 2024-09-18T13:47:10.361Z
NVD
Status : Awaiting Analysis
Published: 2024-09-17T21:15:12.763
Modified: 2024-09-20T12:30:51.220
Link: CVE-2024-46976
Redhat