CVE-2021-43776
HIGHBackstage auth-backend < 0.4.9 - Cross-Site Scripting via Malicious URL
Title source: llmDescription
Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other secrets from the user's browser. The default CSP does prevent this attack, but it is expected that some deployments have these policies disabled due to incompatibilities. This is vulnerability is patched in version `0.4.9` of `@backstage/plugin-auth-backend`.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/backstage/backstage/security/advisories/GHSA-w7fj-336r-vw49
Product, Third Party Advisory x_refsource_misc
https://github.com/backstage/backstage/tree/master/plugins/auth-backend
Scores
CVSS v3
7.4
EPSS
0.0031
EPSS Percentile
54.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Details
CWE
CWE-79
Status
published
Products (2)
backstage/plugin-auth-backend
0 - 0.4.9npm
linuxfoundation/auth_backend
< 0.4.9
Published
Nov 26, 2021
Tracked Since
Feb 18, 2026