Date:
Wednesday, Mar 20th, 2019
Advisory ID:
BACKDROP-SA-CORE-2019-008
Security risk:
Moderately Critical
Vulnerability:
Cross Site Scripting
CVE ID:
Versions affected:
- Backdrop Core 1.12.x versions prior to 1.12.5
- Backdrop Core 1.11.x versions prior to 1.11.8
Description:
Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
Solution:
Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.12.5 release page. See the update instructions, if needed.
Reported By:
Fixed By:
- Alex Pott of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Neil Drumm of the Drupal Security Team
- Michael Hess of the Drupal Security Team
- David Rothstein of the Drupal Security Team
- Peter Wolanin of the Drupal Security Team
- Nate Lampton of the Backdrop Security Team
- Gregory Netsas of the Backdrop Security Team
Coordinated By:
- Gregory Netsas of the Backdrop Security Team