CyberSec.Space Logo
返回 CVE 浏览器

CVE-2021-45268

HIGH
8.8
CVSS Severity Score
EPSS Score0.1260%
EPSS Percentile18.82th
Published2022年2月3日
Last Modified2024年11月21日

Vulnerability Description

A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, which allows Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file. NOTE: the vendor disputes this because the attack requires a session cookie of a high-privileged authenticated user who is entitled to install arbitrary add-ons

Affected Platforms (CPE)

📦
Backdropcms

Backdrop

= 1.20.0

References & Advisories

🔗 https://github.com/V1n1v131r4/CSRF-to-RCE-on-Backdrop-CMS
🔗 https://www.exploit-db.com/exploits/50323
🔗 https://github.com/V1n1v131r4/CSRF-to-RCE-on-Backdrop-CMS
🔗 https://www.exploit-db.com/exploits/50323

相关漏洞威胁

CVE-2019-147719.8

Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 allows the upload of entire-site configuration archives through the use...

CVE-2019-199027.2

An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It allows the upload of entire-site configu...

CVE-2019-147706.1

In Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3, some menu links within the administration bar may be crafted to exe...

CVE-2019-147696.1

Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 doesn't sufficiently filter output when displaying certain block labels...