Security Advisories

GDPR Cookies is a module that helps to meet GDPR requirements by blocking third party services that set cookies unless and until the user consents. 

The module doesn't sufficiently protect visitors from Cross Site Scripting if a malicious value has been provided for the optional 'Info content' field for the YouTube service.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service", and a site must have added a YouTube service as configuration. 

A CVE has been requested, and this page will be updated as soon as an official number has been issued.

Colorbox is a module that allows Images, and iframed or inline content to be displayed in a modal above the current page.

The Colorbox module doesn't sufficiently sanitize data attributes before opening modals.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.

Flag module allows flags to be added to nodes, comments, users, and any other type of entity.

The module doesn't verify flag links before performing the flag action, or verify that the response returned was provided by the flag module. This can allow specially crafted HTML to result in Cross Site Scripting.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create links on the website, for example: create or edit comments or content with a filtered text format.

The GDPR cookies module enables sites to comply with the European cookie law using tarteaucitron.js.

The module doesn't sufficiently filter user-supplied markup inside of content leading to a persistent Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to insert specific data attributes.

The chosen module contains a library with known vulnerabilities:

• https://security.snyk.io/vuln/SNYK-JS-CHOSENJS-3184933

The Chosen JavaScript library for making long, unwieldy select boxes more user friendly. This library did not properly sanitize <code>optgroup</code> labels. 

This vulnerability is mitigated by the fact that an attacker must have the ability to enter <code>optgroup</code> labels. This action and would require a contrib or custom solution. 

This module enables your site to obfuscate Email addresses and prevent spambots to collect them.

The module doesn't sanitize HTML data attributes when an email address link is transformed to separate span HTML elements and then transformed back by JavaScript leading to a Cross Site Scripting (XSS) vulnerability.

This is mitigated by the fact an attacker must be able to insert span HTML elements with data attributes in the page.

See https://www.drupal.org/sa-contrib-2025-016.

A CVE has been requested, and this page will be updated as soon as an official number has been issued.

Backdrop core Link field attributes may not be sufficiently sanitized in specialized scenarios, which can lead to a Cross Site Scripting vulnerability (XSS).

This vulnerability is not directly exploitable within core itself, nor are there any contributed modules that appear to exhibit the behavior. This is a security hardening to prevent such attacks in the future. This problem has not been reproducible without a specialized module. 

Sites are not affected if they are not extending the Link field module in ways that provide the ability to input additional link attributes.

Backdrop CMS includes bulk operations for content that allow people to modify multiple nodes at once from the Manage Content page (admin/content). These bulk operations can also be added to other listings using Views.

A bug in the core Actions system allows some people to use bulk actions to modify some values that they would not have permission to modify when editing individual nodes.

This vulnerability is mitigated by the fact that an attacker must have permission to access the /admin/content page, or other custom views used to modify nodes.

In particular, the following bulk actions now require either the "Administer content" permission, or the "Bypass content access control" permission.

• Make content sticky
• Make content unsticky
• Promote content
• Remove promotion
• Publish content
• Unpublish content
• Delete content

The Mail Disguise module enables a Backdrop website to obfuscate email addresses, and should prevent spambots from collecting them. The module doesn't sufficiently validate the data attribute value on links, potentially leading to a Cross Site Scripting (XSS) vulnerability.

This is mitigated by the fact an attacker must be able to insert link (<a>) HTML elements containing data attributes into the page.

The Masquerade module allows people to temporarily switch to another user account.

The module provides a "Masquerade as admin" permission to restrict people who can masquerade from switching to an account with administrative privileges. This permission is not always honored and may allow non-administrative users to masquerade as an administrator.

This vulnerability is mitigated by the fact that an attacker must have a role with the "Masquerade as user" permission.