CVE-2024-46976 MEDIUM

CVE-2024-46976: Circumvention of cross site scripting Protection in @backstage/plugin-techdocs-backend

Vendor Backstage
Product backstage
Weakness CWE-693
Published September 17, 2024
Last update September 18, 2024

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Backstage is an open framework for building developer portals. An attacker with control of the contents of the TechDocs storage buckets is able to inject executable scripts in the TechDocs content that will be executed in the victim's browser when browsing documentation or navigating to an attacker provided link. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

September 17, 2024 CVE published
September 18, 2024 Record updated