CyberSec.Space Logo
Back to CVE Browser

CVE-2021-45268

HIGH
8.8
CVSS Severity Score
EPSS Score0.1260%
EPSS Percentile18.82th
PublishedFeb 3, 2022
Last ModifiedNov 21, 2024

Vulnerability Description

A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, which allows Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file. NOTE: the vendor disputes this because the attack requires a session cookie of a high-privileged authenticated user who is entitled to install arbitrary add-ons

Affected Platforms (CPE)

πŸ“¦
Backdropcms

Backdrop

= 1.20.0

References & Advisories

πŸ”— https://github.com/V1n1v131r4/CSRF-to-RCE-on-Backdrop-CMS
πŸ”— https://www.exploit-db.com/exploits/50323
πŸ”— https://github.com/V1n1v131r4/CSRF-to-RCE-on-Backdrop-CMS
πŸ”— https://www.exploit-db.com/exploits/50323

Related Vulnerabilities

CVE-2019-147719.8

Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 allows the upload of entire-site configuration archives through the use...

CVE-2019-199027.2

An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It allows the upload of entire-site configu...

CVE-2019-147706.1

In Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3, some menu links within the administration bar may be crafted to exe...

CVE-2019-147696.1

Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 doesn't sufficiently filter output when displaying certain block labels...