Backstage is an open framework for building developer portals. An attacker with control of the contents of the TechDocs storage buckets is able to inject executable scripts in the TechDocs content that will be executed in the victim's browser when browsing documentation or navigating to an attacker provided link. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Link | Resource |
---|---|
https://github.com/backstage/backstage/security/advisories/GHSA-5j94-f3mf-8685 | Third Party Advisory |
Configurations
History
23 Sep 2024, 18:27
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/backstage/backstage/security/advisories/GHSA-5j94-f3mf-8685 - Third Party Advisory | |
First Time |
Backstage
Backstage backstage |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
CPE | cpe:2.3:a:backstage:backstage:*:*:*:*:*:*:*:* | |
CWE | CWE-79 |
20 Sep 2024, 12:30
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
17 Sep 2024, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-09-17 21:15
Updated : 2024-09-23 18:27
NVD link : CVE-2024-46976
Mitre link : CVE-2024-46976
CVE.ORG link : CVE-2024-46976
JSON object : View
Products Affected
backstage
- backstage