- Cross Site Scripting
- Third Party Libraries
If a Backdrop site is configured to use CKEditor for rich-text editing, an attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities. Victims may be people who later edit that content using CKEditor, including site admins with privileged access.
For more information, see CKEditor's security advisories:
- CVE-2022-24729: Regular expression Denial of Service in dialog plugin
- Backdrop Core 1.21.x versions prior to 1.21.4
- Backdrop Core 1.20.x versions prior to 1.20.7
Backdrop versions 1.19 and prior do not receive security coverage.