CVE-2024-46976 — MEDIUM (6.5)

Q: How severe is CVE-2024-46976?

CVE-2024-46976 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-46976?

Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Backstage.

Vulnerability Description

Backstage is an open framework for building developer portals. An attacker with control of the contents of the TechDocs storage buckets is able to inject executable scripts in the TechDocs content that will be executed in the victim's browser when browsing documentation or navigating to an attacker provided link. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Linuxfoundation	Backstage	< 1.10.13

Related Weaknesses (CWE)

CWE-693 CWE-79

References

https://github.com/backstage/backstage/security/advisories/GHSA-5j94-f3mf-8685Third Party Advisory

FAQ

What is CVE-2024-46976?

CVE-2024-46976 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Backstage is an open framework for building developer portals. An attacker with control of the contents of the TechDocs storage buckets is able to inject executable scripts in the TechDocs content tha...

How severe is CVE-2024-46976?

CVE-2024-46976 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-46976?

Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Backstage.