CVE-2024-46976

MEDIUM

Linuxfoundation Backstage < 1.10.13 - XSS

Title source: rule

Description

Backstage is an open framework for building developer portals. An attacker with control of the contents of the TechDocs storage buckets is able to inject executable scripts in the TechDocs content that will be executed in the victim's browser when browsing documentation or navigating to an attacker provided link. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. users are advised to upgrade. There are no known workarounds for this vulnerability.

References (1)

[Third Party Advisory] https://github.com/backstage/backstage/security/advisories/GHSA-5j94-f3mf-8685

Scores

CVSS v3 6.5

EPSS 0.0019

EPSS Percentile 40.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Classification

CWE

CWE-79 CWE-693

Status published

Affected Products (2)

linuxfoundation/backstage < 1.10.13

backstage/plugin-techdocs-backend < 1.10.13npm

Timeline

Published Sep 17, 2024

Tracked Since Feb 18, 2026