Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-25571
Summary
Backstage is an open platform for building developer portals. "@backstage/catalog-model" prior to version 1.2.0, "@backstage/core-components" prior to version 0.12.4, and "@backstage/plugin-catalog-backend" prior to version 1.7.2 are affected by a Cross-Site Scripting Vulnerability. This vulnerability allows a malicious actor with access to add or modify content in an instance of the Backstage software catalog to Inject Script URLs in the entities stored in the catalog. If users of the catalog then click on said URLs, that can lead to an XSS attack. This vulnerability has been patched in both the frontend and backend implementations. The default "Link" component from "@backstage/core-components" version 1.2.0 and greater will now reject "javascript:" URLs, and there is a global override of "window.open" to do the same. In addition, the "@backstage/catalog-model" version 0.12.4 and greater as well as the "@backstage/plugin-catalog-backend" version 1.7.2 and greater now has additional validation built in that prevents "javascript:" URLs in known annotations. As a workaround, the general practice of limiting access to modifying catalog content and requiring Code Reviews greatly help mitigate this vulnerability.
- LOW
- NETWORK
- LOW
- CHANGED
- REQUIRED
- LOW
- LOW
- NONE
CWE-79 - Cross Site Scripting
Cross-Site Scripting, commonly referred to as XSS, is the most dominant class of vulnerabilities. It allows an attacker to inject malicious code into a pregnable web application and victimize its users. The exploitation of such a weakness can cause severe issues such as account takeover, and sensitive data exfiltration. Because of the prevalence of XSS vulnerabilities and their high rate of exploitation, it has remained in the OWASP top 10 vulnerabilities for years.
References
Advisory Timeline
- Published