- Backdrop Core 1.14.x versions prior to 1.14.2
- Backdrop Core 1.13.x versions prior to 1.13.5
Backdrop CMS doesn't sufficiently filter output when displaying certain block descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute scripting when configuring a layout.
This issue is mitigated by the fact that the attacker would be required to have the permission to create custom blocks, which is typically an administrative task.
- Jen Lampton of the Backdrop CMS Security Team