Note: No new Backdrop core security updates have been released since April 18, 2019. The Backdrop core security advisory emails sent from backdropcms.org on Tue Apr 23 at 10:20pm PDT refer to issues resolved on February 21, 2018 and were sent accidentally while updating security advisory content on backdropcms.org.

Backdrop Core - Critical - Cross Site Request Forgery - BACKDROP-SA-CORE-2020-004

Date: 
Jun 17th, 2020
Security risk: 
Critical
Vulnerability: 
Cross Site Request Forgery

The Backdrop core Form API does not properly handle form input from cross-site requests, which can lead to other vulnerabilities.

 

Advisory ID: 
BACKDROP-SA-CORE-2020-004
Versions affected: 
  • Backdrop Core 1.16.x versions prior to 1.16.2
  • Backdrop Core 1.15.x versions prior to 1.15.4

Backdrop versions 1.14 and prior do not receive security coverage.

Services - Moderately critical - Access bypass - BACKDROP-SA-CONTRIB-2020-002

Date: 
Jun 4th, 2020
Security risk: 
Moderately Critical
Vulnerability: 
Access bypass

This module provides a standardized solution for building API's so that external clients can communicate with Backdrop.

The module's taxonomy term index resource doesn't take into consideration certain access control tags provided (but unused) by core, that certain contrib modules depend on.

This vulnerability is mitigated by the fact your site must have the taxonomy term index resource enabled, your site must have a contributed module enabled which utilizes taxonomy term access control, and an attacker must know your API endpoint's path.

Advisory ID: 
BACKDROP-SA-CONTRIB-2020-002
Versions affected: 
  • Services module 1.x versions prior to 1.x-3.0.5-beta

Backdrop Core - Moderately Critical - Cross Site Scripting - BACKDROP-SA-CORE-2020-002

Date: 
May 20th, 2020
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are

[...] security issues in jQuery’s DOM manipulation methods, as in .html().append(), and the others. Security advisories for both of these issues have been published on GitHub.

Those advisories are:

These vulnerabilities may be exploitable on some Backdrop sites. This security release backports the fixes to the relevant jQuery functions without making any other changes to the jQuery version that is included in core, or running on the site via some other module such as jQuery Update. It is not necessary to update jquery_update on sites that have the module installed.

Backwards-compatibility code has also been added to minimize regressions to sites that might rely on jQuery's prior behavior. With jQuery 3.5, incorrect self-closing HTML tags in JavaScript for elements where end tags are normally required will encounter a change in what jQuery returns or inserts. To minimize that disruption, this security release retains jQuery's prior behavior for most safe tags. There may still be regressions for edge cases, including invalidly self-closed custom elements on Internet Explorer.

If you find a regression caused by the jQuery changes, please report it in Backdrop core's issue queue (or that of the relevant contrib project). However, if you believe you have found a security issue, please report it privately to the Backdrop Security Team.

Advisory ID: 
BACKDROP-SA-CORE-2020-002
Versions affected: 
  • Backdrop Core 1.16.x versions prior to 1.16.1
  • Backdrop Core 1.15.x versions prior to 1.15.3

Backdrop versions 1.14 and prior do not receive security coverage.

Backdrop core - Moderately critical - Open Redirect - BACKDROP-SA-CORE-2020-003

Date: 
May 20th, 2020
Security risk: 
Moderately Critical
Vulnerability: 
Open Redirect

Backdrop CMS has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL.

The vulnerability is caused by insufficient validation of the destination query parameter in the backdrop_goto() function.

Advisory ID: 
BACKDROP-SA-CORE-2020-003
Versions affected: 
  • Backdrop Core 1.16.x versions prior to 1.16.1
  • Backdrop Core 1.15.x versions prior to 1.15.3

Backdrop versions 1.14 and prior do not receive security coverage.

Feeds JSONPath Parser - Critical - Arbitrary PHP code execution - BACKDROP-SA-CONTRIB-2020-001

Date: 
Apr 10th, 2020
Security risk: 
Critical
Vulnerability: 
Arbitrary PHP code execution

Feeds JSONPath Parser has a dependency on the third party Library peekmo/jsonpath or Stefan Goessner's implementation of jsonpath, which when used with data that has not been sanatized allows arbitrary code to be run.

Vulnerabilities are possible if a user has permission to configure a feed, or the feed is configured such that a user with the access to the import form can alter a field mapping.

The latest version changes the dependency from the aforementioned libraries and changes it to flow/jsonpath, which does not require value sanitation for the same functionality.

Advisory ID: 
BACKDROP-SA-CONTRIB-2020-001
Versions affected: 
  • Feeds JSONPath Parser 1.x-1.0.0

Backdrop core - Moderately critical - Third-party library - BACKDROP-SA-CORE-2020-001

Date: 
Mar 25th, 2020
Security risk: 
Moderately Critical
Vulnerability: 
Third Party Libraries

The Backdrop project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Backdrop configurations.

Vulnerabilities are possible if Backdrop is configured to use the Rich-Text editor, CKEditor, for editing content. When multiple people can edit content, the vulnerability can be used to execute XSS attacks against other people, including site admins with more access.

The latest versions of Backdrop update CKEditor to 4.14 to mitigate the vulnerabilities.

Advisory ID: 
BACKDROP-SA-CORE-2020-001
Versions affected: 
  • Backdrop Core 1.15.x versions prior to 1.15.1
  • Backdrop Core 1.14.x versions prior to 1.14.4

Backdrop versions 1.13 and prior do not receive security coverage.

Backdrop core - Critical - Multiple vulnerabilities - SA-CORE-2019-017

Date: 
Dec 18th, 2019
Security risk: 
Critical
Vulnerability: 
Third Party Libraries
Multiple vulnerabilities

The Backdrop CMS project uses the third-party library Archive_Tar, which has released a security update that impacts some Backdrop configurations.

Multiple vulnerabilities are possible if Backdrop is configured to allow .tar.tar.gz.bz2 or .tlz file uploads, and processes them.

The latest versions of Backdrop update Archive_Tar to 1.4.9 to mitigate these file processing vulnerabilities.

Advisory ID: 
BACKDROP-SA-CORE-2019-017
Versions affected: 
  • Backdrop Core 1.14.x versions prior to 1.14.2
  • Backdrop Core 1.13.x versions prior to 1.13.5

 

Backdrop core - Critical - Remote Code Execution - SA-CORE-2019-016

Date: 
Dec 18th, 2019
Security risk: 
Critical
Vulnerability: 
Information Disclosure
Remote Code Execution

Backdrop CMS allows the upload of entire-site configuration archives through the user interface or command-line. Backdrop CMS does not sufficiently check uploaded archives for invalid data, allowing non-configuration scripts to potentially be uploaded to the server.

This issue is mitigated by the fact that the attacker would be required to have the "Synchronize, import, and export configuration" permission, a permission that only trusted administrators should be given. Other measures in Backdrop CMS prevent the execution of PHP scripts, so another server-side scripting language must be accessible on the server to execute code.

Advisory ID: 
BACKDROP-SA-CORE-2019-016
Versions affected: 
  • Backdrop Core 1.14.x versions prior to 1.14.2
  • Backdrop Core 1.13.x versions prior to 1.13.5

 

Backdrop core - Moderately Critical - Cross Site Scripting - SA-CORE-2019-015

Date: 
Dec 18th, 2019
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

Backdrop CMS doesn't sufficiently filter output when displaying file type descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute scripting when viewing the list of file types.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer file types".

Advisory ID: 
BACKDROP-SA-CORE-2019-015
Versions affected: 
  • Backdrop Core 1.14.x versions prior to 1.14.2

Backdrop core - Critical - Cross Site Scripting - SA-CORE-2019-014

Date: 
Dec 18th, 2019
Security risk: 
Critical
Vulnerability: 
Cross Site Scripting

Backdrop CMS doesn't sufficiently filter output when displaying content type names in the content creation interface. An attacker could potentially craft a specialized content type name, then have an editor execute scripting when creating content.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer content types".

Advisory ID: 
BACKDROP-SA-CORE-2019-014
Versions affected: 
  • Backdrop Core 1.14.x versions prior to 1.14.2
  • Backdrop Core 1.13.x versions prior to 1.13.5

 

Pages