CVE-2024-46976: @backstage/plugin-techdocs-backend vulnerable to circumvention of cross site scripting protection

September 17, 2024

An attacker with control of the contents of the TechDocs storage buckets is able to inject executable scripts in the TechDocs content that will be executed in the victim’s browser when browsing documentation or navigating to an attacker provided link.

References

github.com/advisories/GHSA-5j94-f3mf-8685
github.com/backstage/backstage
github.com/backstage/backstage/security/advisories/GHSA-5j94-f3mf-8685
nvd.nist.gov/vuln/detail/CVE-2024-46976

Detect and mitigate CVE-2024-46976 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →