Security Advisories

Backdrop core contains a potential PHP Object Injection vulnerability that, if combined with another exploit, could lead to Remote Code Execution.

This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to unserialize(). There are no such known exploits in Backdrop core.

As part of the protection against this potential vulnerability, additional checks have been added to some of Backdrop core's database related code.

Backdrop CMS doesn't sufficiently sanitize SVG images when they are embedded into content.

This vulnerability is mitigated by the fact that the SVG tag must be in the list of allowed tags for a text format, and an attacker must have a role with sufficient permission to access the format, and upload images. 

A CVE has been requested, and this page will be updated as soon as an official number has been issued.

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.

The module does not sufficiently migrate sessions before prompting for a second factor token.

This vulnerability is mitigated by the fact that an attacker must fixate a session on a victim system that is then authenticated with username and password without completing Two Factor authentication. An attacker must gather additional information regarding the entry form after authentication. An attacker must still present a valid token to complete authentication.

Backdrop CMS doesn't sufficiently sanitize field labels before they are displayed in certain places.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer fields".

Nivo Slider does not check permissions properly, allowing anonymous site visitors access to admin pages where they can change the module settings.

The reason is in the function nivo_slider_menu() where the property 'access callback' is set to TRUE (for 3 admin paths).

Some issues were discovered in phpseclib 3.x before 3.0.36, which is included as part of the Google API PHP Client Library bundled with the Google Auth module. They make it possible for a denial of service attack.

The Coffee module helps you to navigate through the Backdrop admin menus faster with a shortcut popup.

The module doesn't sufficiently escape menu names when displaying them in the popup, thereby exposing a XSS vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer menus and menu links".

This module provides an alternative means of rebuilding the Content Access table.

The module doesn't sufficiently reset the state of content access when the module is uninstalled.

The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

As this is an API module, it is only exploitable if a "client" module exposes the vulnerability. Examples of some contributed client modules are given below. Custom modules using ACL could also expose the vulnerability.

This vulnerability is mitigated by the fact that an attacker typically needs an "admin"-type permission provided by one of ACL's client modules.

Known client modules include:

• Forum Access
• Content Access
• Flexi Access (Drupal only)

Coordinated Security Advisories are being released for those client modules that have Security coverage.

This module allows you to manage permissions for content types by role. It allows you to specify custom view, view own, edit, edit own, delete and delete own permissions for each content type. This module integrates with the ACL module.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

This vulnerability is mitigated by the fact that an attacker needs the "Grant content access" or "Grant own content access" permission.

This Security Advisory is being released in coordination with BACKDROP-SA-CONTRIB-2023-005 for the ACL module, which Content Access can integrate with.