CVE-2021-43776 HIGH

CVE-2021-43776: XSS vulnerability in @backstage/plugin-auth-backend

Vendor Backstage
Product backstage
Weakness CWE-79 · XSS
Published November 26, 2021
Last update August 4, 2024
View on NVD All CVEs

CVSS base score

7.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other secrets from the user's browser. The default CSP does prevent this attack, but it is expected that some deployments have these policies disabled due to incompatibilities. This is vulnerability is patched in version `0.4.9` of `@backstage/plugin-auth-backend`.

Key dates

02Disclosure timeline

November 26, 2021 CVE published
August 4, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-25488 Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation CVE-2024-3524 Campcodes Online Event Management System process.php cross site scripting CVE-2025-26732 WordPress StoreBiz plugin <= 1.0.32 - Cross Site Scripting (XSS) vulnerability CVE-2024-9346 Embed videos and respect privacy <= 1.2 - Reflected Cross-Site Scripting CVE-2023-5810 flusity CMS posts.php loadPostAddForm cross site scripting