Nivo Slider - Less Critical - Access bypass - BACKDROP-SA-CONTRIB-2024-004

Date: 
May 22nd, 2024
Security risk: 
Less Critical
Vulnerability: 
Access bypass

Nivo Slider does not check permissions properly, allowing anonymous site visitors access to admin pages where they can change the module settings.

The reason is in the function nivo_slider_menu() where the property 'access callback' is set to TRUE (for 3 admin paths).

Advisory ID: 
BACKDROP-SA-CONTRIB-2024-004
Versions affected: 
  • Nivo Slider 1.x versions prior to 3.0.0

Google Auth - Moderately Critical - DoS - BACKDROP-SA-CONTRIB-2024-003

Date: 
Mar 6th, 2024
Security risk: 
Less Critical
Vulnerability: 
Denial of Service

Some issues were discovered in phpseclib 3.x before 3.0.36, which is included as part of the Google API PHP Client Library bundled with the Google Auth module. They make it possible for a denial of service attack.

Advisory ID: 
BACKDROP-SA-CORE-2024-003
Versions affected: 

Google Auth versions prior to 1.x-2.0.5.

Coffee - Moderately critical - Cross Site Scripting - BACKDROP-SA-CONTRIB-2024-002

Date: 
Feb 29th, 2024
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

The Coffee module helps you to navigate through the Backdrop admin menus faster with a shortcut popup.

The module doesn't sufficiently escape menu names when displaying them in the popup, thereby exposing a XSS vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer menus and menu links".

Advisory ID: 
BACKDROP-SA-CONTRIB-2024-002
Versions affected: 

Node Access Rebuild Progressive - Less critical - Access bypass - SA-CONTRIB-2024-001

Date: 
Feb 21st, 2024
Security risk: 
Less Critical
Vulnerability: 
Access bypass

This module provides an alternative means of rebuilding the Content Access table.

The module doesn't sufficiently reset the state of content access when the module is uninstalled.

Advisory ID: 
BACKDROP-SA-CONTRIB-2024-001
Versions affected: 

Node Access Rebuild Progressive versions prior to 1.x-1.0.1

ACL - Critical - Remote Code Execution - SA-CONTRIB-2023-005

Date: 
Aug 23rd, 2023
Security risk: 
Critical
Vulnerability: 
Remote Code Execution

The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

As this is an API module, it is only exploitable if a "client" module exposes the vulnerability. Examples of some contributed client modules are given below. Custom modules using ACL could also expose the vulnerability.

This vulnerability is mitigated by the fact that an attacker typically needs an "admin"-type permission provided by one of ACL's client modules.

Known client modules include:

  • Forum Access
  • Content Access
  • Flexi Access (Drupal only)

Coordinated Security Advisories are being released for those client modules that have Security coverage.

Advisory ID: 
BACKDROP-SA-CONTRIB-2023-005
Versions affected: 
  • ACL versions prior to 1.x-1.4.0

Content Access - Critical - Remote Code Execution - BACKDROP-SA-CONTRIB-2023-007

Date: 
Aug 23rd, 2023
Security risk: 
Critical
Vulnerability: 
Remote Code Execution

This module allows you to manage permissions for content types by role. It allows you to specify custom view, view own, edit, edit own, delete and delete own permissions for each content type. This module integrates with the ACL module.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

This vulnerability is mitigated by the fact that an attacker needs the "Grant content access" or "Grant own content access" permission.

This Security Advisory is being released in coordination with BACKDROP-SA-CONTRIB-2023-005 for the ACL module, which Content Access can integrate with.

Advisory ID: 
BACKDROP-SA-CONTRIB-2023-007
Versions affected: 
  • Content Access, all versions prior to 1.x-1.3.0

Forum Access - Critical - Remote Code Execution - BACKDROP-SA-CONTRIB-2023-006

Date: 
Aug 23rd, 2023
Security risk: 
Critical
Vulnerability: 
Remote Code Execution

This module changes your forum administration page to allow you to set forums to private. You can control what user roles can view, edit, delete, and post to each forum. You can also give each forum a list of users who have administrative access on that forum (AKA moderators). This module requires the ACL module.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

This vulnerability is mitigated by the fact that an attacker needs the "administer forums" permission.

This Security Advisory is being released in coordination with BACKDROP-SA-CONTRIB-2023-005 for the ACL module, on which Forum Access depends.

Advisory ID: 
BACKDROP-SA-CONTRIB-2023-006
Versions affected: 
  • Forum Access 1.x-1.x versions prior to 1.x-1.6.

Matomo Analytics - Less critical - Cross Site Scripting - BACKDROP-SA-CONTRIB-2023-004

Date: 
Aug 3rd, 2023
Security risk: 
Less Critical
Vulnerability: 
Cross Site Scripting

This module enables you to add the Matomo web statistics tracking system to your website.

The module does not check the Matomo JS code loaded on the website. So a user could configure the module to load JS from a malicious website.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer matomo" or "administer matomo tag manager" to access the settings forms where this can be configured.

Advisory ID: 
BACKDROP-SA-CONTRIB-2023-004
Versions affected: 
  • Matomo versions prior to 2.12.2

Backdrop core - Moderately critical - Access bypass - BACKDROP-SA-CORE-2023-005

Date: 
Apr 19th, 2023
Security risk: 
Moderately Critical
Vulnerability: 
Access bypass

File downloads do not sufficiently sanitize file paths in certain situations. This may result in people gaining access to private files to which they should not have access.

Some sites may require configuration changes following this security release. Review the release notes if you have issues accessing private files after updating.

  • All Backdrop sites running on Windows web servers are vulnerable.
  • Backdrop sites on Linux web servers are vulnerable only with certain file directory structures, or if a vulnerable contributed or custom file access module is installed.

 

Advisory ID: 
BACKDROP-SA-CORE-2023-005
Versions affected: 
  • Backdrop Core 1.24.x versions prior to 1.24.2
  • Backdrop Core 1.23.x versions prior to 1.23.4

Backdrop versions 1.22 and prior do not receive security coverage.

Backdrop core - Moderately critical - Access bypass - BACKDROP-SA-CORE-2023-004

Date: 
Mar 15th, 2023
Security risk: 
Moderately Critical
Vulnerability: 
Access bypass

Backdrop provides a page that outputs information from phpinfo() to assist with diagnosing issues with PHP configuration.

If an attacker was able to achieve an XSS exploit against a privileged user, they may be able to use this page to access sensitive information that could be used to escalate the attack.

This vulnerability is mitigated by the fact that a successful XSS exploit is also required in order to exploit this vulnerability.

Advisory ID: 
BACKDROP-SA-CORE-2023-004
Versions affected: 
  • Backdrop Core 1.24.x versions prior to 1.24.1
  • Backdrop Core 1.23.x versions prior to 1.23.2

Backdrop versions 1.22 and prior do not receive security coverage.

Pages