9.3
CVSSv2

CVE-2019-14771

Published: 08/08/2019 Updated: 19/08/2019
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

Backdrop CMS 1.12.x prior to 1.12.8 and 1.13.x prior to 1.13.3 allows the upload of entire-site configuration archives through the user interface or command line. It does not sufficiently check uploaded archives for invalid data, potentially allowing non-configuration scripts to be uploaded to the server. (This attack is mitigated by the attacker needing the "Synchronize, import, and export configuration" permission, a permission that only trusted administrators should be given. Other preventative measures in Backdrop CMS prevent the execution of PHP scripts, so another server-side scripting language must be accessible on the server to execute code.)

Vulnerability Trend

Affected Products

Vendor Product Versions
BackdropcmsBackdrop Cms1.12.0, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.12.7, 1.13.0, 1.13.1, 1.13.2