CVE-2024-54123 is a cross-site scripting (XSS) vulnerability identified in Backdrop CMS, an open-source content management system. The flaw exists in versions prior to 1.28.4 and 1.29.x before 1.29.2 and is triggered when SVG (Scalable Vector Graphics) tags are permitted within a text format configuration. SVG files can contain embedded scripts, and if the CMS does not properly sanitize or restrict these SVG tags, an attacker can craft malicious SVG documents that execute arbitrary JavaScript in the context of the victim's browser. This vulnerability falls under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common XSS category. The CVSS v3.1 base score is 6.1, indicating a medium severity level. The vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) shows that the attack is network exploitable with low attack complexity, requires no privileges but does require user interaction (e.g., victim clicking a link or loading a malicious SVG). The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component, potentially impacting the entire web application. The impact on confidentiality and integrity is low, as the attacker can execute scripts but cannot directly affect availability. No known exploits have been reported in the wild, and no official patches are linked yet, though the versions affected and fixed versions are clearly identified. The vulnerability highlights the risk of allowing SVG tags in text formats without proper sanitization, a common vector for XSS in web applications that handle user-generated content or allow rich text editing.

The primary impact of CVE-2024-54123 is the potential for attackers to execute arbitrary JavaScript in the browsers of users visiting vulnerable Backdrop CMS websites. This can lead to session hijacking, theft of sensitive information such as cookies or tokens, defacement, or redirection to malicious sites. Since the vulnerability requires user interaction, social engineering or phishing campaigns could be used to lure victims to malicious SVG content. The scope change means that the vulnerability could affect multiple parts of the web application, potentially compromising user data and trust. Organizations relying on Backdrop CMS for public-facing websites or intranet portals may face reputational damage and data confidentiality risks. Although availability is not directly impacted, the integrity of the website content and user data can be compromised. The lack of known exploits in the wild suggests limited current threat activity, but the low complexity and network accessibility make it a viable target for attackers once exploit code becomes available. This vulnerability is particularly concerning for organizations with high user interaction on their CMS platforms, such as community forums, blogs, or e-commerce sites using Backdrop CMS.

To mitigate CVE-2024-54123, organizations should immediately review their Backdrop CMS installations and identify if they are running affected versions prior to 1.28.4 or 1.29.2. They should restrict or disable the use of SVG tags in text formats unless absolutely necessary. If SVG support is required, implement strict sanitization and validation of SVG content to remove or neutralize embedded scripts. Monitor official Backdrop CMS channels for patches or updates and apply them promptly once available. Additionally, implement Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of potential XSS attacks. Educate users and administrators about the risks of clicking untrusted links or uploading unverified SVG files. Regularly audit text format configurations and user permissions to minimize exposure. Employ web application firewalls (WAFs) with rules targeting XSS payloads as a temporary protective measure. Finally, conduct security testing and code reviews focusing on input sanitization and output encoding related to rich text and SVG content handling.