Security Advisories

This module suite implements a mapping functionality between Salesforce objects and Backdrop entities

This module does not generate or validate a cryptographically random `state` parameter to protect the authorization flow against CSRF attacks. 

Additionally, the OAuth callback is accessible to most authenticated and potentially anonymous users depending on site configuration.

Backdrop allows administrators to upload certain files that could be executable. The vulnerability is mitigated by the fact that it requires administrator level access, and in most server configurations, execution of uploaded files is disabled by the server or the .htaccess files created by Backdrop. In the most recent release, a hardening of file types that may not be uploaded and directories that may not be uploaded to will help prevent administrators from accidentally writing into system directories. The list of unsafe extensions is expanded significantly to further reduce the chances of uploaded files from being executed.

Because this configuration already requires administrator-level permissions, the improvements in the latest release is considered a security hardening and not exploitable by unprivileged user accounts.

Backdrop bulk operations did not always check permissions appropriately. This could allow someone with permission to use bulk operations generally to use bulk operations on the file management page and delete files that they did not have specific permission to delete. This vulnerability is mitigated by the fact that the user must have the Access the manage files overview permission.

Backdrop's project installer does not check against a generated token before queuing projects to be downloaded from the Backdrop contrib repository. A user that has permission to post content could craft special tag to queue projects and download the projects. This vulnerability is mitigated by the fact that the user needs the ability to post HTML, and needs to get a privileged user to view the content they post. Additionally, there is no known way to enable projects, only download them.

Backdrop core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which can lead to a cross-site scripting (XSS) vulnerability.

The Protected Pages module module allows you to protect individual pages with a password.

The module doesn't limit the number of password attempts, making it vulnerable to brute force attacks.

This vulnerability is mitigated by the fact that an attacker must know the protected page's URL.

Module filter module included an older version of the jQuery BBQ library, which contained a security vulnerability.

The risk may be mitigated by users needing to have access to this module that would be restricted to the administrator role.

Note: Backdrop security releases are usually made on Wednesdays. This release was accidentally created out of band.

GLightbox module provides integration with the GLightbox library, a JavaScript lightbox for images.

The module doesn't sufficiently sanitize text provided to the GLightbox JavaScript library, leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permissions to edit content that is configured to support the Glightbox library.

GDPR Cookies is a module that helps to meet GDPR requirements by blocking third party services that set cookies unless and until the user consents. 

The module doesn't sufficiently protect visitors from Cross Site Scripting if a malicious value has been provided for the optional 'Info content' field for the YouTube service.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service", and a site must have added a YouTube service as configuration. 

Colorbox is a module that allows Images, and iframed or inline content to be displayed in a modal above the current page.

The Colorbox module doesn't sufficiently sanitize data attributes before opening modals.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.