- Backdrop Core 1.14.x versions prior to 1.14.2
Backdrop CMS doesn't sufficiently filter output when displaying file type descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute scripting when viewing the list of file types.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer file types".
- Bot Kotatu
- Nate Lampton of the Backdrop CMS Security Team
- Jen Lampton of the Backdrop CMS Security Team