Backdrop core - Moderately critical - Cross Site Scripting - SA-CORE-2019-011
Backdrop CMS doesn't sufficiently filter output when displaying certain block labels created by administrators. An attacker could potentially craft a specialized label, then have an administrator execute scripting when administering a layout.
This issue is mitigated by the attacker requiring permission to create custom blocks on the site, which is typically an administrative permission.
- Backdrop Core 1.13.x versions prior to 1.13.3
- Backdrop Core 1.12.x versions prior to 1.12.8