VDB

CVE-2024-46976

CVE-2024-46976 PUBLISHED CVSS 6.5 MEDIUM

Backstage is an open framework for building developer portals. An attacker with control of the contents of the TechDocs storage buckets is able to inject executable scripts in the TechDocs content that will be executed in the victim's browser when browsing documentation or navigating to an attacker provided link. This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. users are advised to upgrade. There are no known workarounds for this vulnerability.

EPSS 0.19% · 40.0th percentile

Risk Scores

CVSS 3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
EPSS Score
0.19%
40.0th percentile

Affected Products

VendorProductVersions
backstagebackstage< 1.10.13
linuxfoundationbackstage0
backstageplugin-techdocs-backend0

Exploit Intelligence

Timeline

  • Sep 17, 2024 CVE Published
  • Sep 18, 2024 EPSS Score
  • Oct 5, 2024 Coalition ESS Score
  • Oct 8, 2024 EPSS Score
  • Oct 27, 2024 EPSS Score
  • Nov 16, 2024 EPSS Score
  • Dec 6, 2024 EPSS Score
  • Dec 26, 2024 EPSS Score
  • Jan 15, 2025 EPSS Score
  • Jan 20, 2025 Coalition ESS Score
  • Feb 3, 2025 EPSS Score
  • Feb 23, 2025 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›