Security Advisories

Backdrop allows administrators to upload certain files that could be executable. The vulnerability is mitigated by the fact that it requires administrator level access, and in most server configurations, execution of uploaded files is disabled by the server or the .htaccess files created by Backdrop. In the most recent release, a hardening of file types that may not be uploaded and directories that may not be uploaded to will help prevent administrators from accidentally writing into system directories. The list of unsafe extensions is expanded significantly to further reduce the chances of uploaded files from being executed.

Because this configuration already requires administrator-level permissions, the improvements in the latest release is considered a security hardening and not exploitable by unprivileged user accounts.

Backdrop bulk operations did not always check permissions appropriately. This could allow someone with permission to use bulk operations generally to use bulk operations on the file management page and delete files that they did not have specific permission to delete. This vulnerability is mitigated by the fact that the user must have the Access the manage files overview permission.

Backdrop's project installer does not check against a generated token before queuing projects to be downloaded from the Backdrop contrib repository. A user that has permission to post content could craft special tag to queue projects and download the projects. This vulnerability is mitigated by the fact that the user needs the ability to post HTML, and needs to get a privileged user to view the content they post. Additionally, there is no known way to enable projects, only download them.

Backdrop core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which can lead to a cross-site scripting (XSS) vulnerability.

The Protected Pages module module allows you to protect individual pages with a password.

The module doesn't limit the number of password attempts, making it vulnerable to brute force attacks.

This vulnerability is mitigated by the fact that an attacker must know the protected page's URL.

Module filter module included an older version of the jQuery BBQ library, which contained a security vulnerability.

The risk may be mitigated by users needing to have access to this module that would be restricted to the administrator role.

Note: Backdrop security releases are usually made on Wednesdays. This release was accidentally created out of band.

GLightbox module provides integration with the GLightbox library, a JavaScript lightbox for images.

The module doesn't sufficiently sanitize text provided to the GLightbox JavaScript library, leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permissions to edit content that is configured to support the Glightbox library.

GDPR Cookies is a module that helps to meet GDPR requirements by blocking third party services that set cookies unless and until the user consents. 

The module doesn't sufficiently protect visitors from Cross Site Scripting if a malicious value has been provided for the optional 'Info content' field for the YouTube service.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service", and a site must have added a YouTube service as configuration. 

A CVE has been requested, and this page will be updated as soon as an official number has been issued.

Colorbox is a module that allows Images, and iframed or inline content to be displayed in a modal above the current page.

The Colorbox module doesn't sufficiently sanitize data attributes before opening modals.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.

Flag module allows flags to be added to nodes, comments, users, and any other type of entity.

The module doesn't verify flag links before performing the flag action, or verify that the response returned was provided by the flag module. This can allow specially crafted HTML to result in Cross Site Scripting.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create links on the website, for example: create or edit comments or content with a filtered text format.