Security Advisories

This module changes your forum administration page to allow you to set forums to private. You can control what user roles can view, edit, delete, and post to each forum. You can also give each forum a list of users who have administrative access on that forum (AKA moderators). This module requires the ACL module.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

This vulnerability is mitigated by the fact that an attacker needs the "administer forums" permission.

This Security Advisory is being released in coordination with BACKDROP-SA-CONTRIB-2023-005 for the ACL module, on which Forum Access depends.

This module enables you to add the Matomo web statistics tracking system to your website.

The module does not check the Matomo JS code loaded on the website. So a user could configure the module to load JS from a malicious website.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer matomo" or "administer matomo tag manager" to access the settings forms where this can be configured.

File downloads do not sufficiently sanitize file paths in certain situations. This may result in people gaining access to private files to which they should not have access.

Some sites may require configuration changes following this security release. Review the release notes if you have issues accessing private files after updating.

• All Backdrop sites running on Windows web servers are vulnerable.
• Backdrop sites on Linux web servers are vulnerable only with certain file directory structures, or if a vulnerable contributed or custom file access module is installed.

Backdrop provides a page that outputs information from phpinfo() to assist with diagnosing issues with PHP configuration.

If an attacker was able to achieve an XSS exploit against a privileged user, they may be able to use this page to access sensitive information that could be used to escalate the attack.

This vulnerability is mitigated by the fact that a successful XSS exploit is also required in order to exploit this vulnerability.

The borg theme does not sufficiently sanitize path arguments that are passed in via URL.

A CVE has been requested, and this page will be updated as soon as an official number has been issued.

Central Authentication Services (CAS) is a commonly used Single Sign-On protocol used by many universities and large organizations. 

The module includes a copy of the phpCAS library that is maintained by a third-party. Previous versions of this library may allow an attacker to gain unauthorized access to a user account in Backdrop. This release both includes and supports an updated version of the library that addresses this issue.

For more information concerning the exploit, please visit the following URL: https://github.com/apereo/phpCAS/security/advisories/GHSA-8q72-6qq8-xv64

The File (Field) Paths module extends the default functionality of Backdrop's core File module, by adding the ability to use entity-based tokens in destination paths and file names.

The module's default configuration could temporarily expose private files to anonymous visitors.

Important note: to fix the problem, database updates must be run in addition to updating the module.

It's possible to make a configuration change to mitigate this problem in the admin UI at /admin/config/media/file-system/filefield-paths - the temp file location should use either the temporary:// or private:// stream wrapper if uploaded files should not be exposed publicly.

This vulnerability is mitigated by the fact that an attacker must be able to guess the temporary path used for file upload.

Rate module provides flexible voting widgets for nodes and comments.

Rate module did not sufficiently check access for nodes and comments.

In some situations, the Image module does not correctly check access to image files that are not stored in the standard public files directory when generating derivative images using the image styles system.

Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability.

Some sites may require configuration changes following this security release. Review the Backdrop release notes if you have issues accessing files or image styles after updating.

The Backdrop project uses the CKEditor library for rich-text editing. CKEditor has released a security update that impacts Backdrop.

If a Backdrop site is configured to use CKEditor for rich-text editing, an attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities. Victims may be people who later edit that content using CKEditor, including site admins with privileged access.

For more information, see CKEditor's security advisories:

• CVE-2022-24728: HTML processing vulnerability allowing to execute JavaScript code
• CVE-2022-24729: Regular expression Denial of Service in dialog plugin