CVE-2024-41709

Backdrop CMS before 1.27.3 and 1.28.x before 1.28.2 does not sufficiently sanitize field labels before they are displayed in certain places. This vulnerability is mitigated by the fact that an attacker must have a role with the "administer fields" permission.

Published: Jul 22, 2024
Updated: May 4, 2025
CVE: CVE-2024-41709
GHSA: GHSA-3wmx-48g3-x66g
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.8
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
backdropcms / backdrop	1.28.0	1.28.2
backdropcms / backdrop	1.27.0	1.27.3
backdrop / backdrop	-	1.27.3
backdrop / backdrop	1.28.0	1.28.2

https://backdropcms.org/security/backdrop-sa-core-2024-001
https://github.com/backdrop/backdrop/commit/c7ff0500705668e3f58263590812872e44059301
https://github.com/backdrop/backdrop/commit/f1dfe710c186fb47c9d949f01f37e5ab42b44030

Vulnerability Database

289,599

CVE-2024-41709