CVE-2021-43776

Опубликовано: 26 нояб. 2021

Источник: nvd

CVSS3: 7.4

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other secrets from the user's browser. The default CSP does prevent this attack, but it is expected that some deployments have these policies disabled due to incompatibilities. This is vulnerability is patched in version 0.4.9 of @backstage/plugin-auth-backend.

Ссылки

https://github.com/backstage/backstage/security/advisories/GHSA-w7fj-336r-vw49
Third Party Advisory
https://github.com/backstage/backstage/tree/master/plugins/auth-backend
Product
Third Party Advisory
https://github.com/backstage/backstage/security/advisories/GHSA-w7fj-336r-vw49
Third Party Advisory
https://github.com/backstage/backstage/tree/master/plugins/auth-backend
Product
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:linuxfoundation:auth_backend:*:*:*:*:*:node.js:*:*

Версия до 0.4.9 (исключая)

EPSS

Процентиль: 54%

0.00311

Низкий

7.4 High

CVSS3

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-w7fj-336r-vw49

CVSS3: 7.4

github

около 4 лет назад

Cross-Site Scripting vulnerability in @backstage/plugin-auth-backend

EPSS

Процентиль: 54%

0.00311

Низкий

7.4 High

CVSS3

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79