Backdrop core - Moderately critical - Access bypass - BACKDROP-SA-CORE-2023-004
Backdrop provides a page that outputs information from phpinfo()
to assist with diagnosing issues with PHP configuration.
If an attacker was able to achieve an XSS exploit against a privileged user, they may be able to use this page to access sensitive information that could be used to escalate the attack.
This vulnerability is mitigated by the fact that a successful XSS exploit is also required in order to exploit this vulnerability.
- Backdrop Core 1.24.x versions prior to 1.24.1
- Backdrop Core 1.23.x versions prior to 1.23.2
Backdrop versions 1.22 and prior do not receive security coverage.