Backdrop core - Moderately Critical - Third Party Libraries - BACKDROP-SA-CORE-2021-005

Date: 
Aug 12th, 2021
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting
Third Party Libraries

The Backdrop project uses the CKEditor library for Rich-Text editing. CKEditor has released a security update that impacts Backdrop.

Vulnerabilities are possible if Backdrop remains configured to use the CKEditor library for Rich-Text editing. 

An attacker that can enter or edit content as formatted text (even without access to Rich-Text editor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target other people who have permission to use the Rich-Text editor on the same content, including site admins with privileged access.

If you're using the fakeobjects CKEditor plugin (not included with core) you will also want to update this.

Advisory ID: 
BACKDROP-SA-CORE-2021-005
Versions affected: 
  • Backdrop Core 1.19.x versions prior to 1.19.3
  • Backdrop Core 1.18.x versions prior to 1.18.7

Backdrop versions 1.17 and prior do not receive security coverage.

Backdrop core release on Thurs Aug 12, 2021 - PSA-2021-08-09

Date: 
Aug 9th, 2021
Security risk: 
Moderately Critical
Vulnerability: 
Third Party Libraries
To Be Announced

The Backdrop Security Team will be coordinating a security release for Backdrop 1.19 and 1.18 this week on Thursday, August 12, 2021

We are issuing this PSA in advance because August 12, 2021 is not a security window in the regular Drupal security release window schedule, and since we coordinate security releases with Drupal, there would not normally be any security release on this date.

The Backdrop core release will be made between 16:00 – 22:00 UTC (noon – 6:00pm EDT). It is rated as moderately critical and will be an update to a vendor library only.

 

Backdrop core - Critical - Third Party Libraries - BACKDROP-SA-CORE-2021-004

Date: 
Jul 21st, 2021
Security risk: 
Critical
Vulnerability: 
Third Party Libraries

The Backdrop project uses the pear Archive_Tar library, which has released a security update that impacts Backdrop.

The vulnerability is mitigated by the fact that Backdrop core's use of the Archive_Tar library is not vulnerable, as it does not permit symlinks. Backdrop also does not use Archive_Tar in normal operation of the site, but maintains it for compatibility with contrib modules and custom code.

Exploitation may be possible if contrib or custom code uses the library to extract tar archives (for example .tar, .tar.gz, .bz2, or .tlz) which come from a potentially untrusted source.

Advisory ID: 
BACKDROP-SA-CORE-2021-004
Versions affected: 
  • Backdrop Core 1.19.x versions prior to 1.19.2
  • Backdrop Core 1.18.x versions prior to 1.18.6

Backdrop versions 1.17 and prior do not receive security coverage.

Backdrop core - Moderately critical - Cross Site Scripting - BACKDROP-SA-CORE-2021-003

Date: 
May 26th, 2021
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

Backdrop core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to an XSS attack.

Update: 2021-06-11: More details are available on CKEditor's blog.

Advisory ID: 
BACKDROP-SA-CORE-2021-003
Versions affected: 
  • Backdrop Core 1.19.x versions prior to 1.19.1
  • Backdrop Core 1.18.x versions prior to 1.18.5

Backdrop versions 1.17 and prior do not receive security coverage.

Backdrop core - Critical - Cross-site scripting - BACKDROP-SA-CORE-2021-002

Date: 
Apr 21st, 2021
Security risk: 
Critical
Vulnerability: 
Cross Site Scripting

Backdrop core's sanitization API fails to properly filter cross-site scripting under certain circumstances. 

Not all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend all sites update to this release as soon as possible.

Advisory ID: 
BACKDROP-SA-CORE-2021-002
Versions affected: 
  • Backdrop Core 1.18.x versions prior to 1.18.3
  • Backdrop Core 1.17.x versions prior to 1.17.7

Backdrop versions 1.16 and prior do not receive security coverage.

Backdrop core - Critical - Third-party libraries - BACKDROP-SA-CORE-2021-001

Date: 
Jan 27th, 2021
Security risk: 
Critical
Vulnerability: 
Third Party Libraries

The Backdrop project uses the pear Archive_Tar library, which has released a security update that impacts Backdrop. For more information please see:

Exploits may be possible if Backdrop is configured to allow .tar.tar.gz.bz2, or .tlz file uploads and processes them, or if the Installer module is enabled.

Advisory ID: 
BACKDROP-SA-CORE-2021-001
Versions affected: 
  • Backdrop Core 1.18.x versions prior to 1.18.1
  • Backdrop Core 1.17.x versions prior to 1.17.6

Backdrop versions 1.16 and prior do not receive security coverage.

Corresponding security release for Drupal SA-CORE-2021-001 postponed

Date: 
Jan 20th, 2021
Security risk: 
Critical
Vulnerability: 
Third Party Libraries

There will be a security release of Backdrop 1.18.x, and 1.17.x on January 27th, 2021 between 19:00 - 23:00 UTC. Security release announcements will appear here, on the Backdrop security page. This release will not require a database update.

The PEAR Archive_Tar library included with Backdrop core released a security update earlier this month, CVE-2020-36193. The core update will patch the library to include this fix. This security release will correlate to Drupal security release SA-CORE-2021-001 issued on January 20th. 2021.

Because Backdrop issued its regularly scheduled minor release on January 15th, and based on the severity of these issues, the Backdrop Security Team has agreed to postpone this security release for one week.

 

Advisory ID: 
BACKDROP-SA-CORE-2021-001
Versions affected: 
  • Backdrop Core 1.18.x versions prior to 1.18.1
  • Backdrop Core 1.17.x versions prior to 1.17.6

Backdrop versions 1.16 and prior do not receive security coverage.

Backdrop core - Critical - Arbitrary PHP code execution - BACKDROP-SA-CORE-2020-008

Date: 
Nov 25th, 2020
Security risk: 
Critical
Vulnerability: 
Arbitrary PHP code execution

The Backdrop CMS project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Backdrop. For more information please see the CVE's linked here.

Multiple vulnerabilities are possible if Backdrop is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.

To mitigate this issue, prevent untrusted users from uploading .tar, .tar.gz, .bz2 or .tlz files.

 

Advisory ID: 
BACKDROP-SA-CORE-2020-008
Versions affected: 
  • Backdrop Core 1.17.x versions prior to 1.17.4
  • Backdrop Core 1.16.x versions prior to 1.16.6

Backdrop versions 1.15 and prior do not receive security coverage.

Backdrop core - Critical - Remote code execution - SA-CORE-2020-007

Date: 
Nov 18th, 2020
Security risk: 
Critical
Vulnerability: 
Remote Code Execution

Backdrop core does not properly sanitize certain filenames on uploaded files. This can lead to files being interpreted as the incorrect extension and served as the wrong MIME type, or executed as PHP for certain hosting configurations.

Advisory ID: 
BACKDROP-SA-CORE-2020-007
Versions affected: 
  • Backdrop Core 1.17.x versions prior to 1.17.3
  • Backdrop Core 1.16.x versions prior to 1.16.5

Backdrop versions 1.15 and prior do not receive security coverage.

Backdrop core - Moderately critical - Cross-site scripting - BACKDROP-SA-CORE-2020-006

Date: 
Sep 30th, 2020
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

Backdrop core's built-in CKEditor image caption functionality is vulnerable to XSS.

This SA is equivalent to Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-010

Advisory ID: 
BACKDROP-SA-CORE-2020-006
Versions affected: 
  • Backdrop Core 1.17.x versions prior to 1.17.1
  • Backdrop Core 1.16.x versions prior to 1.16.4

Backdrop versions 1.15 and prior do not receive security coverage.

Pages