Backdrop core - Moderately critical - Information Disclosure - BACKDROP-SA-CORE-2022-004

Date: 
Jul 20th, 2022
Security risk: 
Moderately Critical
Vulnerability: 
Information Disclosure

In some situations, the Image module does not correctly check access to image files that are not stored in the standard public files directory when generating derivative images using the image styles system.

Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability.

Some sites may require configuration changes following this security release. Review the Backdrop release notes if you have issues accessing files or image styles after updating.

Advisory ID: 
BACKDROP-SA-CORE-2022-004
Versions affected: 
  • Backdrop Core 1.22.x versions prior to 1.22.1
  • Backdrop Core 1.21.x versions prior to 1.21.6

Backdrop versions 1.20 and prior do not receive security coverage.

Backdrop core - Moderately critical - Third Party Libraries - SA-BACKDROP-CORE-2022-003

Date: 
Mar 16th, 2022
Security risk: 
Moderately Critical
Vulnerabilities: 
  • Cross Site Scripting
  • Third Party Libraries

The Backdrop project uses the CKEditor library for rich-text editing. CKEditor has released a security update that impacts Backdrop.

If a Backdrop site is configured to use CKEditor for rich-text editing, an attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities. Victims may be people who later edit that content using CKEditor, including site admins with privileged access.

For more information, see CKEditor's security advisories:

 

Advisory ID: 
BACKDROP-SA-CORE-2022-003
Versions affected: 
  • Backdrop Core 1.21.x versions prior to 1.21.4
  • Backdrop Core 1.20.x versions prior to 1.20.7

Backdrop versions 1.19 and prior do not receive security coverage.

Backdrop core - Moderately critical - Cross Site Scripting - BACKDROP-SA-CORE-2022-002

Date: 
Mar 2nd, 2022
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

Backdrop CMS doesn't sufficiently sanitize certain interface text when adding links to existing content.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create content (nodes), files, user accounts, taxonomy terms, views, or layouts.

Advisory ID: 
BACKDROP-SA-CORE-2022-002
Versions affected: 
  • Backdrop Core 1.21.x versions prior to 1.21.3
  • Backdrop Core 1.20.x versions prior to 1.20.6

Backdrop versions 1.19 and prior do not receive security coverage.

Backdrop core - Moderately critical - Improper input validation - BACKDROP-SA-CORE-2022-001

Date: 
Feb 16th, 2022
Security risk: 
Moderately Critical
Vulnerability: 
Improper input validation

Backdrop core's Form API has a vulnerability where certain forms in contributed or custom modules may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

Advisory ID: 
BACKDROP-SA-CORE-2022-001
Versions affected: 
  • Backdrop Core 1.21.x versions prior to 1.21.2
  • Backdrop Core 1.20.x versions prior to 1.20.5

Backdrop versions 1.19 and prior do not receive security coverage.

jQuery UI 1.13.0 included in Backdrop 1.21.0 - PSA-2022-001

Date: 
Jan 19th, 2022
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

There will be no additional Backdrop release today. The version of jQuery UI included in Backdrop CMS is up to date as of the latest Backdrop release, version 1.21.0, out January 15th, 2022.

Earlier versions of Backdrop core did not use the parts of the jQuery UI library that were affected by the following vulnerabilities. It is possible that they may still be exploitable with  contributed modules if they were to use those parts of the jQuery UI library. There are no known instances of this happening.

jQuery UI is a third-party library included in Backdrop CMS. This library was previously thought to be end-of-life.

Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issues that may affect Backdrop sites that have not yet updated to 1.21.0:

Note: All other vulnerabilities that were previously unaddressed in the version of jQuery UI included in Drupal 7 do not effect any version of Backdrop CMS.

Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.21.0

Backdrop Core - Moderately critical - Cross Site Scripting - BACKDROP-SA-CORE-2021-006

Date: 
Nov 18th, 2021
Security risk: 
Moderately Critical
Vulnerabilities: 
  • Cross Site Scripting
  • Third Party Libraries

The Backdrop CMS project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Backdrop, along with a hotfix for that update.

Vulnerabilities are possible if Backdrop is configured to allow use of the CKEditor library for Rich-Text editing. An attacker that can create or edit content (even without access to the Editor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target other people who do have access to the Rich-Text Editor, including site admins with privileged access.

For more information, see CKEditor's security advisories.

Advisory ID: 
BACKDROP-SA-CORE-2021-006
Versions affected: 
  • Backdrop Core 1.20.x versions prior to 1.20.2
  • Backdrop Core 1.19.x versions prior to 1.19.5

Backdrop versions 1.18 and prior do not receive security coverage.

Backdrop core - Moderately Critical - Third Party Libraries - BACKDROP-SA-CORE-2021-005

Date: 
Aug 12th, 2021
Security risk: 
Moderately Critical
Vulnerabilities: 
  • Cross Site Scripting
  • Third Party Libraries

The Backdrop project uses the CKEditor library for Rich-Text editing. CKEditor has released a security update that impacts Backdrop.

Vulnerabilities are possible if Backdrop remains configured to use the CKEditor library for Rich-Text editing. 

An attacker that can enter or edit content as formatted text (even without access to Rich-Text editor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target other people who have permission to use the Rich-Text editor on the same content, including site admins with privileged access.

If you're using the fakeobjects CKEditor plugin (not included with core) you will also want to update this.

Advisory ID: 
BACKDROP-SA-CORE-2021-005
Versions affected: 
  • Backdrop Core 1.19.x versions prior to 1.19.3
  • Backdrop Core 1.18.x versions prior to 1.18.7

Backdrop versions 1.17 and prior do not receive security coverage.

Backdrop core release on Thurs Aug 12, 2021 - PSA-2021-08-09

Date: 
Aug 9th, 2021
Security risk: 
Moderately Critical
Vulnerabilities: 
  • Third Party Libraries
  • To Be Announced

The Backdrop Security Team will be coordinating a security release for Backdrop 1.19 and 1.18 this week on Thursday, August 12, 2021

We are issuing this PSA in advance because August 12, 2021 is not a security window in the regular Drupal security release window schedule, and since we coordinate security releases with Drupal, there would not normally be any security release on this date.

The Backdrop core release will be made between 16:00 – 22:00 UTC (noon – 6:00pm EDT). It is rated as moderately critical and will be an update to a vendor library only.

 

Backdrop core - Critical - Third Party Libraries - BACKDROP-SA-CORE-2021-004

Date: 
Jul 21st, 2021
Security risk: 
Critical
Vulnerability: 
Third Party Libraries

The Backdrop project uses the pear Archive_Tar library, which has released a security update that impacts Backdrop.

The vulnerability is mitigated by the fact that Backdrop core's use of the Archive_Tar library is not vulnerable, as it does not permit symlinks. Backdrop also does not use Archive_Tar in normal operation of the site, but maintains it for compatibility with contrib modules and custom code.

Exploitation may be possible if contrib or custom code uses the library to extract tar archives (for example .tar, .tar.gz, .bz2, or .tlz) which come from a potentially untrusted source.

Advisory ID: 
BACKDROP-SA-CORE-2021-004
Versions affected: 
  • Backdrop Core 1.19.x versions prior to 1.19.2
  • Backdrop Core 1.18.x versions prior to 1.18.6

Backdrop versions 1.17 and prior do not receive security coverage.

Backdrop core - Moderately critical - Cross Site Scripting - BACKDROP-SA-CORE-2021-003

Date: 
May 26th, 2021
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

Backdrop core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to an XSS attack.

Update: 2021-06-11: More details are available on CKEditor's blog.

Advisory ID: 
BACKDROP-SA-CORE-2021-003
Versions affected: 
  • Backdrop Core 1.19.x versions prior to 1.19.1
  • Backdrop Core 1.18.x versions prior to 1.18.5

Backdrop versions 1.17 and prior do not receive security coverage.

Pages