CVE-2023-25571 (backstage_catalog-model, backstage_core-components, backstage_plugin-catalog-backend)

Backstage is an open platform for building developer portals. `@backstage/catalog-model` prior to version 1.2.0, `@backstage/core-components` prior to 0.12.4, and `@backstage/plugin-catalog-backend` prior to 1.7.2 are affected by a cross-site scripting vulnerability. This vulnerability allows a malicious actor with access to add or modify content in an instance of the Backstage software catalog to inject script URLs in the entities stored in the catalog. If users of the catalog then click on said URLs, that can lead to an XSS attack. This …

access actor backend backstage catalog cross-site cve developer entities inject instance malicious platform plugin script scripting software urls version version 1 vulnerability