- Backdrop Core 1.13.x versions prior to 1.13.3
- Backdrop Core 1.12.x versions prior to 1.12.8
Backdrop CMS doesn't sufficiently filter output when displaying certain block labels created by administrators. An attacker could potentially craft a specialized label, then have an administrator execute scripting when administering a layout.
This issue is mitigated by the attacker requiring permission to create custom blocks on the site, which is typically an administrative permission.
- Jen Lampton of the Backdrop CMS Security Team