Corresponding security release for Drupal SA-CORE-2021-001 postponed

Date: 
Jan 20th, 2021
Security risk: 
Critical
Vulnerability: 
Third Party Libraries

There will be a security release of Backdrop 1.18.x, and 1.17.x on January 27th, 2021 between 19:00 - 23:00 UTC. Security release announcements will appear here, on the Backdrop security page. This release will not require a database update.

The PEAR Archive_Tar library included with Backdrop core released a security update earlier this month, CVE-2020-36193. The core update will patch the library to include this fix. This security release will correlate to Drupal security release SA-CORE-2021-001 issued on January 20th. 2021.

Because Backdrop issued its regularly scheduled minor release on January 15th, and based on the severity of these issues, the Backdrop Security Team has agreed to postpone this security release for one week.

 

Advisory ID: 
BACKDROP-SA-CORE-2021-001
Versions affected: 
  • Backdrop Core 1.18.x versions prior to 1.18.1
  • Backdrop Core 1.17.x versions prior to 1.17.6

Backdrop versions 1.16 and prior do not receive security coverage.

Backdrop core - Critical - Arbitrary PHP code execution - BACKDROP-SA-CORE-2020-008

Date: 
Nov 25th, 2020
Security risk: 
Critical
Vulnerability: 
Arbitrary PHP code execution

The Backdrop CMS project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Backdrop. For more information please see the CVE's linked here.

Multiple vulnerabilities are possible if Backdrop is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.

To mitigate this issue, prevent untrusted users from uploading .tar, .tar.gz, .bz2 or .tlz files.

 

Advisory ID: 
BACKDROP-SA-CORE-2020-008
Versions affected: 
  • Backdrop Core 1.17.x versions prior to 1.17.4
  • Backdrop Core 1.16.x versions prior to 1.16.6

Backdrop versions 1.15 and prior do not receive security coverage.

Backdrop core - Critical - Remote code execution - SA-CORE-2020-007

Date: 
Nov 18th, 2020
Security risk: 
Critical
Vulnerability: 
Remote Code Execution

Backdrop core does not properly sanitize certain filenames on uploaded files. This can lead to files being interpreted as the incorrect extension and served as the wrong MIME type, or executed as PHP for certain hosting configurations.

Advisory ID: 
BACKDROP-SA-CORE-2020-007
Versions affected: 
  • Backdrop Core 1.17.x versions prior to 1.17.3
  • Backdrop Core 1.16.x versions prior to 1.16.5

Backdrop versions 1.15 and prior do not receive security coverage.

Backdrop core - Moderately critical - Cross-site scripting - BACKDROP-SA-CORE-2020-006

Date: 
Sep 30th, 2020
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

Backdrop core's built-in CKEditor image caption functionality is vulnerable to XSS.

This SA is equivalent to Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-010

Advisory ID: 
BACKDROP-SA-CORE-2020-006
Versions affected: 
  • Backdrop Core 1.17.x versions prior to 1.17.1
  • Backdrop Core 1.16.x versions prior to 1.16.4

Backdrop versions 1.15 and prior do not receive security coverage.

Backdrop core - Moderately critical - Cross-site scripting - BACKDROP-SA-CORE-2020-005

Date: 
Sep 30th, 2020
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

The Backdrop AJAX API does not disable JSONP by default, which can lead to cross-site scripting.

This SA is equivalent to Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007

Advisory ID: 
BACKDROP-SA-CORE-2020-005
Versions affected: 
  • Backdrop Core 1.17.x versions prior to 1.17.1
  • Backdrop Core 1.16.x versions prior to 1.16.4

Backdrop versions 1.15 and prior do not receive security coverage.

Corresponding security release for Drupal SA-CORE-2020-007 and SA-CORE-2020-010 postponed

Date: 
Sep 16th, 2020
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

There will be a security release of Backdrop 1.17.x, and 1.16.x on Sept 30th, 2020 between 19:00 - 23:00 UTC. Security release announcements will appear here, on the Backdrop security page.  This release will not require a database update.

This security release will be a complimentary release to the Drupal security releases SA-CORE-2020-007 and SA-CORE-2020-010 issued on September 16th.

Because Backdrop issued its regularly scheduled minor release on September 15th, and based on the severity of these issues, the Backdrop Security Team has agreed to postpone this security release for two weeks. 

Advisory ID: 
PSA-2020-005
Versions affected: 
  • Backdrop Core 1.16.x versions prior to 1.16.4
  • Backdrop Core 1.17.x versions prior to 1.17.1

Backdrop versions 1.15 and prior do not receive security coverage.

Backdrop Core - Critical - Cross Site Request Forgery - BACKDROP-SA-CORE-2020-004

Date: 
Jun 17th, 2020
Security risk: 
Critical
Vulnerability: 
Cross Site Request Forgery

The Backdrop core Form API does not properly handle form input from cross-site requests, which can lead to other vulnerabilities.

 

Advisory ID: 
BACKDROP-SA-CORE-2020-004
Versions affected: 
  • Backdrop Core 1.16.x versions prior to 1.16.2
  • Backdrop Core 1.15.x versions prior to 1.15.4

Backdrop versions 1.14 and prior do not receive security coverage.

Services - Moderately critical - Access bypass - BACKDROP-SA-CONTRIB-2020-002

Date: 
Jun 4th, 2020
Security risk: 
Moderately Critical
Vulnerability: 
Access bypass

This module provides a standardized solution for building API's so that external clients can communicate with Backdrop.

The module's taxonomy term index resource doesn't take into consideration certain access control tags provided (but unused) by core, that certain contrib modules depend on.

This vulnerability is mitigated by the fact your site must have the taxonomy term index resource enabled, your site must have a contributed module enabled which utilizes taxonomy term access control, and an attacker must know your API endpoint's path.

Advisory ID: 
BACKDROP-SA-CONTRIB-2020-002
Versions affected: 
  • Services module 1.x versions prior to 1.x-3.0.5-beta

Backdrop Core - Moderately Critical - Cross Site Scripting - BACKDROP-SA-CORE-2020-002

Date: 
May 20th, 2020
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are

[...] security issues in jQuery’s DOM manipulation methods, as in .html().append(), and the others. Security advisories for both of these issues have been published on GitHub.

Those advisories are:

These vulnerabilities may be exploitable on some Backdrop sites. This security release backports the fixes to the relevant jQuery functions without making any other changes to the jQuery version that is included in core, or running on the site via some other module such as jQuery Update. It is not necessary to update jquery_update on sites that have the module installed.

Backwards-compatibility code has also been added to minimize regressions to sites that might rely on jQuery's prior behavior. With jQuery 3.5, incorrect self-closing HTML tags in JavaScript for elements where end tags are normally required will encounter a change in what jQuery returns or inserts. To minimize that disruption, this security release retains jQuery's prior behavior for most safe tags. There may still be regressions for edge cases, including invalidly self-closed custom elements on Internet Explorer.

If you find a regression caused by the jQuery changes, please report it in Backdrop core's issue queue (or that of the relevant contrib project). However, if you believe you have found a security issue, please report it privately to the Backdrop Security Team.

Advisory ID: 
BACKDROP-SA-CORE-2020-002
Versions affected: 
  • Backdrop Core 1.16.x versions prior to 1.16.1
  • Backdrop Core 1.15.x versions prior to 1.15.3

Backdrop versions 1.14 and prior do not receive security coverage.

Backdrop core - Moderately critical - Open Redirect - BACKDROP-SA-CORE-2020-003

Date: 
May 20th, 2020
Security risk: 
Moderately Critical
Vulnerability: 
Open Redirect

Backdrop CMS has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL.

The vulnerability is caused by insufficient validation of the destination query parameter in the backdrop_goto() function.

Advisory ID: 
BACKDROP-SA-CORE-2020-003
Versions affected: 
  • Backdrop Core 1.16.x versions prior to 1.16.1
  • Backdrop Core 1.15.x versions prior to 1.15.3

Backdrop versions 1.14 and prior do not receive security coverage.

Pages