CVE-2022-42095 is a stored cross-site scripting (XSS) vulnerability identified in Backdrop CMS version 1.23.0. Backdrop CMS is an open-source content management system used to build and manage websites. The vulnerability arises from insufficient sanitization of user-supplied input in the 'Page content' feature, allowing an attacker with authenticated access to inject malicious scripts that are stored persistently on the server. When other users or administrators view the affected page content, the malicious script executes in their browsers within the context of the vulnerable site. This can lead to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. According to the CVSS v3.1 vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N), exploitation requires network access, low attack complexity, high privileges (authenticated user with elevated rights), and user interaction (the victim must view the malicious content). The vulnerability impacts confidentiality and integrity but does not affect availability. No known exploits in the wild have been reported, and no official patches or vendor advisories are currently linked. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common web application security flaw. The scope is changed (S:C), indicating that exploitation can affect resources beyond the vulnerable component, such as other users' sessions or data. Overall, this vulnerability represents a medium-severity risk primarily to authenticated users with elevated privileges on Backdrop CMS 1.23.0 installations that allow page content editing and viewing by other users.

For European organizations using Backdrop CMS 1.23.0, this vulnerability poses a risk of persistent XSS attacks that can compromise the confidentiality and integrity of user sessions and data. Attackers with authenticated access—potentially internal users or compromised accounts—can inject malicious scripts that execute in the browsers of other users, including administrators. This could lead to unauthorized data disclosure, session hijacking, or manipulation of content and settings. While availability is not directly impacted, the reputational damage and potential regulatory consequences under GDPR for data breaches involving personal data could be significant. Organizations with public-facing websites or intranet portals built on Backdrop CMS are at risk, especially if they have multiple users with content editing privileges. The medium CVSS score reflects the requirement for high privileges and user interaction, limiting the ease of exploitation but not eliminating the threat. Given the lack of known exploits in the wild, the risk is currently moderate but could increase if exploit code becomes available. European entities in sectors such as government, education, and SMEs that rely on Backdrop CMS for content management should be particularly vigilant.

1. Immediate mitigation involves restricting content editing privileges to trusted, authenticated users with minimal necessary rights to reduce the risk of malicious input. 2. Implement strict input validation and output encoding on all user-supplied content fields, particularly the 'Page content' area, to neutralize potentially malicious scripts. 3. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 4. Monitor and audit user activities related to content creation and modification to detect suspicious behavior. 5. Regularly update Backdrop CMS installations and monitor official channels for patches or security advisories addressing this vulnerability. 6. Educate users and administrators about the risks of XSS and safe content management practices. 7. If possible, deploy web application firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting Backdrop CMS. 8. Conduct penetration testing and code reviews focused on input sanitization and output encoding to proactively identify and remediate similar vulnerabilities.