CVE-2025-46595

{"id": "CVE-2025-46595", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 3.1}]}, "published": "2025-04-25T03:15:20.583", "references": [{"url": "https://backdropcms.org/security/backdrop-sa-contrib-2025-011", "source": "cve@mitre.org"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "cve@mitre.org", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "An XSS issue was discovered in the Flag module before 1.x-3.6.2 for Backdrop CMS. Flag is a module that allows flags to be added to nodes, comments, users, and any other type of entity. It doesn't verify flag links before performing the flag action, or verify that the response returned was provided by the flag module. This can allow crafted HTML to result in Cross Site Scripting. This is mitigated by the fact that an attacker must have a role with permission to create links on the website, for example: create or edit comments or content with a filtered text format."}, {"lang": "es", "value": "Se detect\u00f3 un problema de XSS en el m\u00f3dulo Flag antes de la versi\u00f3n 1.x-3.6.2 de Background CMS. Flag es un m\u00f3dulo que permite a\u00f1adir banderas a nodos, comentarios, usuarios y cualquier otro tipo de entidad. No verifica los enlaces de las banderas antes de ejecutar la acci\u00f3n ni verifica que la respuesta devuelta haya sido proporcionada por el m\u00f3dulo. Esto puede permitir que el HTML manipulado genere cross-site scripting. Esto se mitiga porque un atacante debe tener un rol con permiso para crear enlaces en el sitio web; por ejemplo, para crear o editar comentarios o contenido con un formato de texto filtrado."}], "lastModified": "2025-04-29T13:52:28.490", "sourceIdentifier": "cve@mitre.org"}