Security Advisories

Backdrop CMS includes bulk operations for content that allow people to modify multiple nodes at once from the Manage Content page (admin/content). These bulk operations can also be added to other listings using Views.

A bug in the core Actions system allows some people to use bulk actions to modify some values that they would not have permission to modify when editing individual nodes.

This vulnerability is mitigated by the fact that an attacker must have permission to access the /admin/content page, or other custom views used to modify nodes.

In particular, the following bulk actions now require either the "Administer content" permission, or the "Bypass content access control" permission.

• Make content sticky
• Make content unsticky
• Promote content
• Remove promotion
• Publish content
• Unpublish content
• Delete content

The Mail Disguise module enables a Backdrop website to obfuscate email addresses, and should prevent spambots from collecting them. The module doesn't sufficiently validate the data attribute value on links, potentially leading to a Cross Site Scripting (XSS) vulnerability.

This is mitigated by the fact an attacker must be able to insert link (<a>) HTML elements containing data attributes into the page.

The Masquerade module allows people to temporarily switch to another user account.

The module provides a "Masquerade as admin" permission to restrict people who can masquerade from switching to an account with administrative privileges. This permission is not always honored and may allow non-administrative users to masquerade as an administrator.

This vulnerability is mitigated by the fact that an attacker must have a role with the "Masquerade as user" permission.

The Bootstrap Lite Backdrop CMS theme doesn't sufficiently sanitize certain class names.

The Bootstrap 5 Lite Backdrop CMS theme doesn't sufficiently sanitize certain class names.

The Link iframe formatter module doesn't sufficiently sanitize user input before displaying results to the screen.

This vulnerability is mitigated by the fact that an attacker must have the ability to create content containing an iFrame field.

The GDPR cookies module contains a library with known vulnerabilities:

• https://security.snyk.io/vuln/SNYK-JS-TARTEAUCITRONJS-5772112
• https://security.snyk.io/vuln/SNYK-JS-TARTEAUCITRONJS-8366541

tarteaucitronjs is a package that provides compliance to the European cookie law.  Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to missing sanitization of the services attributes value, and improper user-input sanitization, via width, theme, controls, img and other attributes.

This module enables you to integrate the site with the Google Tag Manager (GTM) application.

The module doesn't have the "restrict access" flag on the "administer google_tag_container" permission. A user with this permission can load a GTM container that completely changes the page or inserts malicious JS, resulting in a cross site scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the aforementioned permission.

Backdrop CMS does not sufficiently validate uploaded SVG images to ensure they do not contain potentially dangerous SVG tags. SVG images can contain clickable links and executable scripting, and using a crafted SVG, it is possible to execute scripting in the browser when an SVG image is viewed.

This issue is mitigated by the attacker needing to be able to upload SVG images, and that Backdrop embeds all uploaded SVG images within <img> tags, which prevents scripting from executing. The SVG must be viewed directly by its URL in order to run any embedded scripting.

Backdrop CMS doesn't sufficiently isolate long text content when the CKEditor 5 rich text editor is used. This allows a potential attacker to craft specialized HTML and JavaScript that may be executed when an administrator attempts to edit a piece of content.

This vulnerability is mitigated by the fact that an attacker must have the ability to create long text content (such as through the node or comment forms) and an administrator must edit (not view) the content that contains the malicious content. This problem only exists when using the CKEditor 5 module.