- Backdrop Core 1.14.x versions prior to 1.14.2
Backdrop CMS doesn't sufficiently filter output when displaying file type descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute scripting when viewing the list of file types.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer file types".
Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.14.2 release page. See the update instructions, if needed.
- Bot Kotatu
- Nate Lampton of the Backdrop CMS Security Team
- Jen Lampton of the Backdrop CMS Security Team