Moderate severityNVD Advisory· Published Nov 21, 2022· Updated Apr 29, 2025

CVE-2022-42096

Description

Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via Post content.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
backdrop/backdropPackagist	<= 1.23.0	—

Affected products

Backdrop CMS/Backdrop CMSdescription
ghsa-coords
pkg:composer/backdrop/backdrop
Range: <= 1.23.0

Patches

Vulnerability mechanics

Root cause

"Insufficient sanitization of Post content allows stored cross-site scripting (XSS)."

Attack vector

An attacker with the ability to create or edit Post content can inject arbitrary JavaScript into the Post body field. When other users view the crafted Post, the injected script executes in their browser session. The advisory does not specify whether authentication is required, but the vulnerability is triggered through the standard content creation workflow without additional privileges beyond those needed to author Posts.

Affected code

The advisory identifies the Post content type as the vulnerable component in Backdrop CMS 1.23.0. The supplied patch touches only core/includes/bootstrap.inc [patch_id=1641237] and does not show the vulnerable code path or the sanitization function that failed to filter the Post body.

What the fix does

The supplied patch only bumps the version constant from '1.23.x-dev' to '1.23.0' in bootstrap.inc [patch_id=1641237]. This is a release-tagging change and does not contain any code-level fix for the XSS vulnerability. The actual security fix must reside in a different commit that was not included in this bundle; the advisory does not provide the corrective diff.

Preconditions

authAttacker likely needs a role that can create or edit Post content (the advisory does not specify minimum privilege level).
inputAttacker must be able to supply arbitrary HTML/JavaScript in the Post body field.

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-g8jw-8vpv-pv5qghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-42096ghsaADVISORY
backdropcms.orgghsaWEB
github.com/backdrop/backdrop/releases/tag/1.23.0ghsaWEB
grimthereaperteam.medium.com/cve-2022-42096-backdrop-xss-at-posts-437c305036e2ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000