CVE-2024-46976 — Vulnetix

Try Vulnetix Request Demo

CVE-2024-46976 PUBLISHED CVSS 6.5 MEDIUM

Backstage is an open framework for building developer portals. An attacker with control of the contents of the TechDocs storage buckets is able to inject executable scripts in the TechDocs content that will be executed in the victim's browser when browsing documentation or navigating to an attacker provided link. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. users are advised to upgrade. There are no known workarounds for this vulnerability.

EPSS 0.19% · 40.0th percentile

Risk Scores

CVSS v3.1

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

EPSS Score

0.19%

40.0th percentile

Affected Products

Vendor	Product	Versions
backstage	backstage	< 1.10.13
linuxfoundation	backstage	0
backstage	plugin-techdocs-backend	0

Timeline

Sep 17, 2024 CVE Published
Sep 18, 2024 EPSS Score
Oct 5, 2024 Coalition ESS Score
Oct 7, 2024 EPSS Score
Oct 26, 2024 EPSS Score
Nov 14, 2024 EPSS Score
Dec 4, 2024 EPSS Score
Dec 23, 2024 EPSS Score
Jan 11, 2025 EPSS Score
Jan 20, 2025 Coalition ESS Score
Jan 30, 2025 EPSS Score
Feb 18, 2025 EPSS Score

References

Open in Interactive Console →