CVE-2024-41709

{"id": "CVE-2024-41709", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}]}, "published": "2024-07-22T06:15:02.260", "references": [{"url": "https://backdropcms.org/security/backdrop-sa-core-2024-001", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Backdrop CMS before 1.27.3 and 1.28.x before 1.28.2 does not sufficiently sanitize field labels before they are displayed in certain places. This vulnerability is mitigated by the fact that an attacker must have a role with the \"administer fields\" permission."}, {"lang": "es", "value": " Backdrop CMS anterior a 1.27.3 y 1.28.x anterior a 1.28.2 no sanitiza suficientemente las etiquetas de campo antes de que se muestren en ciertos lugares. Esta vulnerabilidad se ve mitigada por el hecho de que un atacante debe tener un rol con permiso de \"administer fields\"."}], "lastModified": "2024-07-25T15:22:06.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AC13CD41-6420-435F-9FF9-EFE0A441F645", "versionEndExcluding": "1.27.3", "versionStartIncluding": "1.27.0"}, {"criteria": "cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B623B82C-CAA7-482A-97CD-CB73353676DA", "versionEndExcluding": "1.28.2", "versionStartIncluding": "1.28.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}