Note: No new Backdrop core security updates have been released since April 18, 2019. The Backdrop core security advisory emails sent from backdropcms.org on Tue Apr 23 at 10:20pm PDT refer to issues resolved on February 21, 2018 and were sent accidentally while updating security advisory content on backdropcms.org.

Backdrop core - Moderately critical - Third-party library - BACKDROP-SA-CORE-2020-001

Date: 
Mar 25th, 2020
Security risk: 
Moderately Critical
Vulnerability: 
Third Party Libraries

The Backdrop project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Backdrop configurations.

Vulnerabilities are possible if Backdrop is configured to use the Rich-Text editor, CKEditor, for editing content. When multiple people can edit content, the vulnerability can be used to execute XSS attacks against other people, including site admins with more access.

The latest versions of Backdrop update CKEditor to 4.14 to mitigate the vulnerabilities.

Advisory ID: 
BACKDROP-SA-CORE-2020-001
Versions affected: 
  • Backdrop Core 1.15.x versions prior to 1.15.1
  • Backdrop Core 1.14.x versions prior to 1.14.4

Backdrop versions 1.13 and prior do not receive security coverage.

Backdrop core - Critical - Multiple vulnerabilities - SA-CORE-2019-017

Date: 
Dec 18th, 2019
Security risk: 
Critical
Vulnerability: 
Third Party Libraries
Multiple vulnerabilities

The Backdrop CMS project uses the third-party library Archive_Tar, which has released a security update that impacts some Backdrop configurations.

Multiple vulnerabilities are possible if Backdrop is configured to allow .tar.tar.gz.bz2 or .tlz file uploads, and processes them.

The latest versions of Backdrop update Archive_Tar to 1.4.9 to mitigate these file processing vulnerabilities.

Advisory ID: 
BACKDROP-SA-CORE-2019-017
Versions affected: 
  • Backdrop Core 1.14.x versions prior to 1.14.2
  • Backdrop Core 1.13.x versions prior to 1.13.5

 

Backdrop core - Critical - Remote Code Execution - SA-CORE-2019-016

Date: 
Dec 18th, 2019
Security risk: 
Critical
Vulnerability: 
Information Disclosure
Remote Code Execution

Backdrop CMS allows the upload of entire-site configuration archives through the user interface or command-line. Backdrop CMS does not sufficiently check uploaded archives for invalid data, allowing non-configuration scripts to potentially be uploaded to the server.

This issue is mitigated by the fact that the attacker would be required to have the "Synchronize, import, and export configuration" permission, a permission that only trusted administrators should be given. Other measures in Backdrop CMS prevent the execution of PHP scripts, so another server-side scripting language must be accessible on the server to execute code.

Advisory ID: 
BACKDROP-SA-CORE-2019-016
Versions affected: 
  • Backdrop Core 1.14.x versions prior to 1.14.2
  • Backdrop Core 1.13.x versions prior to 1.13.5

 

Backdrop core - Moderately Critical - Cross Site Scripting - SA-CORE-2019-015

Date: 
Dec 18th, 2019
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

Backdrop CMS doesn't sufficiently filter output when displaying file type descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute scripting when viewing the list of file types.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer file types".

Advisory ID: 
BACKDROP-SA-CORE-2019-015
Versions affected: 
  • Backdrop Core 1.14.x versions prior to 1.14.2

Backdrop core - Critical - Cross Site Scripting - SA-CORE-2019-014

Date: 
Dec 18th, 2019
Security risk: 
Critical
Vulnerability: 
Cross Site Scripting

Backdrop CMS doesn't sufficiently filter output when displaying content type names in the content creation interface. An attacker could potentially craft a specialized content type name, then have an editor execute scripting when creating content.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer content types".

Advisory ID: 
BACKDROP-SA-CORE-2019-014
Versions affected: 
  • Backdrop Core 1.14.x versions prior to 1.14.2
  • Backdrop Core 1.13.x versions prior to 1.13.5

 

Backdrop core - Moderately critical - Cross Site Scripting - SA-CORE-2019-013

Date: 
Dec 18th, 2019
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

Backdrop CMS doesn't sufficiently filter output when displaying certain block descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute scripting when configuring a layout.

This issue is mitigated by the fact that the attacker would be required to have the permission to create custom blocks, which is typically an administrative task.

Advisory ID: 
BACKDROP-SA-CORE-2019-013
Versions affected: 
  • Backdrop Core 1.14.x versions prior to 1.14.2
  • Backdrop Core 1.13.x versions prior to 1.13.5

Webform - Critical - Multiple vulnerabilities - BACKDROP-SA-CONTRIB-2019-014

Date: 
Dec 12th, 2019
Security risk: 
Critical
Vulnerability: 
Multiple vulnerabilities

The module doesn't sufficiently protect against an attacker changing the submission identifier of a draft webform, thereby overwriting another user's submission. Confidential information is not disclosed, but information can be overwritten, and therefore lost or forged.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to submit a webform, and the webform must have the advanced form setting of either Show "Save draft" button and/or Automatically save as draft between pages and when there are validation errors (neither of these two options are enabled by default). Anonymous users cannot submit drafts, and therefore cannot exploit this vulnerability.

Advisory ID: 
BACKDROP-SA-CONTRIB-2019-014
Versions affected: 
  • Webform 1.x versions prior to 1.x-4.21.0

Nodequeue - Critical - Cross site scripting - BACKDROP-SA-CONTRIB-2019-013

Date: 
Nov 13th, 2019
Security risk: 
Critical
Vulnerability: 
Cross Site Scripting

This module enables you to collect nodes in an arbitrarily ordered list.

Nodequeue's JavaScript can be leveraged to insert HTML from attacker-controlled JSON data. This is exploitable if user-submitted "Filtered HTML" content is displayed on a page where nodequeue.js is loaded.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "manipulate queues".

Advisory ID: 
BACKDROP-SA-CONTRIB-2019-013
Versions affected: 
  • Nodequeue 1.x versions prior to  1.x-2.2.0

Ubercart - Moderately critical - Cross site scripting - BACKDROP-SA-CONTRIB-2019-012

Date: 
Oct 8th, 2019
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

The Ubercart module provides a shopping cart and e-commerce features for Backdrop CMS.

The order submodule doesn't sufficiently sanitize user input when displayed on an invoice, leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit orders".

Advisory ID: 
BACKDROP-SA-CONTRIB-2019-012
Versions affected: 

Backdrop core - Critical - Remote Code Execution - SA-CORE-2019-012

Date: 
Aug 7th, 2019
Security risk: 
Critical
Vulnerability: 
Information Disclosure
Remote Code Execution

Backdrop CMS allows the upload of entire-site configuration archives through the user interface or command-line. Backdrop CMS does not sufficiently check uploaded archives for invalid data, allowing non-configuration scripts to potentially be uploaded to the server.

This attack is mitigated by the attacker needing the "Synchronize, import, and export configuration" permission, a permission that only trusted administrators should be given. Other preventative measures in Backdrop CMS prevent the execution of PHP scripts, so another server-side scripting language must be accessible on the server to execute code.

Advisory ID: 
BACKDROP-SA-CORE-2019-012
Versions affected: 
  • Backdrop Core 1.13.x versions prior to 1.13.3
  • Backdrop Core 1.12.x versions prior to 1.12.8

Pages