Vulnerabilities are possible if Backdrop is configured to use the Rich-Text editor, CKEditor, for editing content. When multiple people can edit content, the vulnerability can be used to execute XSS attacks against other people, including site admins with more access.
The latest versions of Backdrop update CKEditor to 4.14 to mitigate the vulnerabilities.
- Backdrop Core 1.15.x versions prior to 1.15.1
- Backdrop Core 1.14.x versions prior to 1.14.4
Backdrop versions 1.13 and prior do not receive security coverage.