Bleeping Computer reporter Bill Toulas notes that “While this number isn’t large, Backstage is used by many large firms, including Spotify, Netflix, Epic Games, Jaguar/Land Rover, Mercedes Benz, American Airlines, Splunk, TUI, Oriflame, Twilio, SoundCloud, HBO Max, HP Inc, Siemens, VMware, and IKEA”.
It is highly recommended that systems administrators update Backstage to the latest version, version 1.7.2. It is also recommended to use logic-less template engines whenever possible, as they don’t introduce the opportunity for server-side injection. Administrators should also ensure that authentication is enforced for Backstage instances, and access to the instances are restricted at the network level where possible.
https://www.bleepingcomputer.com/news/security/researchers-release-exploit-details-for-backstage-pre-auth-rce-bug/
