Backdrop core - Moderately Critical - Access Bypass - SA-CORE-2017-004
Access bypass via views of taxonomy terms
The Backdrop core module Views allows site builders to create listings of various data in the Backdrop database.
The Views module fails to add the required query tags to listings of Taxonomy Terms, which could cause private data stored on Taxonomy Terms to be leaked to users without permission to view it.
This is mitigated by the fact that a View must exist that lists Taxonomy Terms which contain private data. If all the data on Taxonomy Terms is public or there are no applicable Views, then your site is unaffected.
Access bypass via views bulk operations on user accounts
The Backdrop core user account listing allows administration of user accounts. The bulk operation on this page that allows additional roles to be added to accounts also allowed a user to promote themselves beyond their intended access.
This is mitigated by the fact that a user must already have permission to view the user account page in order to have access to the bulk operation.
- Backdrop Core 1.x.x versions prior to 1.6.2