CVE-2022-42097

An attacker with the ability to post comments on the Backdrop CMS site can inject arbitrary JavaScript into the comment body. When the comment is saved and later rendered for other users (including administrators), the injected script executes in the context of the victim's browser session. The vulnerability is triggered simply by viewing the page that displays the malicious comment. No special network position is required beyond normal web access to the comment submission form.

The advisory identifies the comment functionality in Backdrop CMS 1.23.0 as the affected component. The supplied patch only modifies the version constant in core/includes/bootstrap.inc and does not contain the actual code fix for the XSS vulnerability. The specific file or function responsible for rendering comment output without proper sanitization is not shown in the provided patch.

The supplied patch only bumps the version constant from '1.23.x-dev' to '1.23.0' and does not contain any code change that addresses the XSS vulnerability. The advisory states that the vulnerability exists in version 1.23.0, but the patch does not show the actual sanitization fix. Based on the available information, the root cause is insufficient output encoding of comment content, and a proper fix would involve escaping HTML entities in comment text before rendering.