{"id":"CVE-2019-19903","details":"An issue was discovered in Backdrop CMS 1.14.x before 1.14.2. It doesn't sufficiently filter output when displaying file type descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute scripting when viewing the list of file types, aka XSS. This vulnerability is mitigated by the fact that an attacker must have a role with the \"Administer file types\" permission.","modified":"2026-03-14T09:36:52.459266Z","published":"2019-12-19T06:15:11.197Z","references":[{"type":"ADVISORY","url":"https://backdropcms.org/security/backdrop-sa-core-2019-015"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/backdrop/backdrop","events":[{"introduced":"9d7c5d90930b5b21f3183d035e1cfa9471b8827d"},{"fixed":"1836c576fe938b5baec7827832a10a6088dbcd20"},{"introduced":"5e55d3d97c0a7b23a68076d5321212c17da3fbe9"},{"fixed":"9bb3c616b85ae64ef6490793083ffeabf9182e46"}],"database_specific":{"versions":[{"introduced":"1.13.0"},{"fixed":"1.13.5"},{"introduced":"1.14.0"},{"fixed":"1.14.2"}]}}],"versions":["1.13.0","1.13.1","1.13.2","1.13.3","1.13.4","1.14.0","1.14.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-19903.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"}]}