Backdrop Core - Moderately critical - Cross Site Scripting - BACKDROP-SA-CORE-2021-006
- Cross Site Scripting
- Third Party Libraries
The Backdrop CMS project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Backdrop, along with a hotfix for that update.
Vulnerabilities are possible if Backdrop is configured to allow use of the CKEditor library for Rich-Text editing. An attacker that can create or edit content (even without access to the Editor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target other people who do have access to the Rich-Text Editor, including site admins with privileged access.
For more information, see CKEditor's security advisories.
- Backdrop Core 1.20.x versions prior to 1.20.2
- Backdrop Core 1.19.x versions prior to 1.19.5
Backdrop versions 1.18 and prior do not receive security coverage.