CVE-2022-42094

An attacker with the ability to create or edit Card content can inject arbitrary JavaScript or HTML into the 'Card' content field. When other users view the affected page, the injected script executes in their browser session. The advisory does not specify whether authentication or a specific content permission is required, but the attack is stored (persistent) rather than reflected. The vulnerability is triggered simply by rendering the crafted Card content.

The advisory identifies the Card content type in Backdrop CMS 1.23.0 as the vulnerable component. The supplied patch [patch_id=1641241] only modifies core/includes/bootstrap.inc to update the version string and does not show the actual vulnerable code path or the sanitization fix. The specific file or function handling Card content rendering is not present in the bundle.

The supplied patch [patch_id=1641241] only bumps the version constant from '1.23.x-dev' to '1.23.0' in bootstrap.inc. This is a release-tagging change and does not contain any code-level fix for the XSS vulnerability. The advisory describes a stored XSS issue in Card content, but the actual sanitization fix is not present in this patch. Without the relevant diff, the precise remediation (e.g., adding output escaping or input filtering) cannot be determined from the supplied bundle.