{"id":"CVE-2023-31045","details":"A stored Cross-site scripting (XSS) issue in Text Editors and Formats in Backdrop CMS before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via the name parameter. When a user is editing any content type (e.g., page, post, or card) as an admin, the stored XSS payload is executed upon selecting a malicious text formatting option. NOTE: the vendor disputes the security relevance of this finding because \"any administrator that can configure a text format could easily allow Full HTML anywhere.\"","aliases":["GHSA-3862-c622-v4fp"],"modified":"2026-03-14T12:06:54.381394Z","published":"2023-04-24T08:15:07.257Z","references":[{"type":"ADVISORY","url":"https://github.com/backdrop/backdrop/releases/tag/1.24.2"},{"type":"REPORT","url":"https://github.com/backdrop/backdrop-issues/issues/6065"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/backdrop/backdrop","events":[{"introduced":"0"},{"fixed":"6d7645eff7549bbe4f2654e5a1620dd827a45569"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.24.2"}]}}],"versions":["1.1.0","1.10.0","1.11.0","1.13.0-preview","1.14.0","1.14.0-preview","1.15.0","1.15.0-preview","1.16.0","1.16.0-preview","1.17.0","1.17.0-preview","1.18.0","1.18.0-preview","1.19.0","1.19.0-preview","1.2.0","1.20.0","1.20.0-preview","1.21.0","1.21.0-preview","1.22.0","1.22.0-preview","1.23.0","1.23.0-preview","1.24.0","1.24.0-preview","1.24.1","1.3.0","1.3.1","1.3.2","1.3.3","1.3.4","1.3.5","1.4.0","1.4.1","1.4.2","1.4.3","1.5.0","1.5.1","1.6.0","1.7.0","1.7.0-preview","v1.0.0","v1.0.0-preview","v1.0.1","v1.0.2","v1.0.3","v1.0.4","v1.0.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-31045.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"}]}