Headline
GHSA-5j94-f3mf-8685: @backstage/plugin-techdocs-backend vulnerable to circumvention of cross site scripting protection
Impact
An attacker with control of the contents of the TechDocs storage buckets is able to inject executable scripts in the TechDocs content that will be executed in the victim’s browser when browsing documentation or navigating to an attacker provided link.
Patches
This has been fixed in the 1.10.13 release of the @backstage/plugin-techdocs-backend package.
References
If you have any questions or comments about this advisory:
Open an issue in the Backstage repository Visit our Discord, linked to in Backstage README
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-46976
@backstage/plugin-techdocs-backend vulnerable to circumvention of cross site scripting protection
Moderate severity GitHub Reviewed Published Sep 17, 2024 in backstage/backstage • Updated Sep 17, 2024
Package
npm @backstage/plugin-techdocs-backend (npm)
Affected versions
< 1.10.13
Impact
An attacker with control of the contents of the TechDocs storage buckets is able to inject executable scripts in the TechDocs content that will be executed in the victim’s browser when browsing documentation or navigating to an attacker provided link.
Patches
This has been fixed in the 1.10.13 release of the @backstage/plugin-techdocs-backend package.
References
If you have any questions or comments about this advisory:
Open an issue in the Backstage repository
Visit our Discord, linked to in Backstage README
References
- GHSA-5j94-f3mf-8685
- https://nvd.nist.gov/vuln/detail/CVE-2024-46976
Published to the GitHub Advisory Database
Sep 17, 2024
Last updated
Sep 17, 2024