CVE-2022-42094 - Stored XSS in Backdrop CMS 1.23. via ‘Card’ Content

Backdrop CMS is a popular open-source content management system often used by organizations seeking a simple yet powerful platform. In September 2022, a stored cross-site scripting (XSS) vulnerability was found in version 1.23., specifically impacting the “Card” content feature. This vulnerability, tracked as CVE-2022-42094, allows attackers to embed malicious JavaScript code that executes in the browsers of users who view the infected content.

This article will break down what this vulnerability means, demonstrate how it can be exploited, and suggest ways to protect your Backdrop CMS site.

What Is CVE-2022-42094?

CVE-2022-42094 is a stored XSS vulnerability in Backdrop CMS 1.23.. Unlike reflected XSS, a stored XSS flaw means that malicious input is permanently stored on the server – for example, in a database or page content – and then presented to users each time they access the compromised page.

The focus here is the “Card” content type. Improper input validation means attackers can inject HTML or JavaScript, which Backdrop then outputs to users without proper sanitization.

Original Advisory:  
- NVD - CVE-2022-42094  
- Backdrop CMS Security Advisory

How Does the Exploit Work?

The vulnerability arises because Backdrop CMS doesn’t sanitize user input in “Card” fields. Any user with permission to create Card content (even at lowest roles) could inject scripts. When others visit the affected page, their browsers execute the malicious code.

Example Exploit

Suppose the Card content type has fields like "Title" or "Body". An attacker with permission to create cards can submit a payload like:

<script>alert('XSS Exploit by CVE-2022-42094')</script>

`html

alert('XSS Exploit by CVE-2022-42094')

Proof-of-Concept (PoC) Code

Below is a sample POST request payload sent to Backdrop via an HTTP client (e.g., curl or Burp Suite):

POST /node/add/card HTTP/1.1
Host: vulnerable-backdrop-site.com
Cookie: SESS...
Content-Type: application/x-www-form-urlencoded

title=test&body[und][][value]=<script>alert(document.cookie)</script>&form_build_id=...&form_id=card_node_form

*Once submitted, the malicious JavaScript will be stored in the database and run in the browsers of users viewing the Card.*

Impact

- Account Compromise: If an attacker manages to steal cookies or session information via XSS, they can hijack user accounts.

Phishing: Attackers can inject spoofed login forms or redirect users to malicious sites.

- Site Defacement: XSS can be used to alter how the website looks or functions, damaging reputation.

What site owners should do

- Update Backdrop CMS to the latest version. Backdrop CMS team patched this vulnerability after 1.23..

Sanitize Input: Always sanitize and validate user content in custom fields or content types.

- Restrict Permissions: Limit the ability of users to create or edit rich content unless necessary.

Monitor for unusual content in the Cards feature and review logs for suspicious activity.

Further details can be found on the Backdrop CMS security advisory page and on the NVD database.

Conclusion

CVE-2022-42094 is a significant security issue for Backdrop CMS 1.23. users, especially sites allowing untrusted users to post content. By understanding how this stored XSS works and applying the proper updates and security hygiene, site owners can reduce their risk of exploitation.

If you haven’t updated Backdrop CMS since 1.23., do so immediately. And always keep security best practices in mind when building and maintaining your site.

References

- NVD – CVE-2022-42094
- Backdrop CMS Security Advisory
- OWASP XSS

*Stay safe. Update regularly. And always sanitize user input!*

Timeline

Published on: 11/22/2022 13:15:00 UTC
Last modified on: 11/23/2022 19:21:00 UTC