Backdrop core - Moderately critical - Third Party Libraries - SA-BACKDROP-CORE-2022-003
- Cross Site Scripting
- Third Party Libraries
The Backdrop project uses the CKEditor library for rich-text editing. CKEditor has released a security update that impacts Backdrop.
If a Backdrop site is configured to use CKEditor for rich-text editing, an attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities. Victims may be people who later edit that content using CKEditor, including site admins with privileged access.
For more information, see CKEditor's security advisories:
- CVE-2022-24728: HTML processing vulnerability allowing to execute JavaScript code
- CVE-2022-24729: Regular expression Denial of Service in dialog plugin
- Backdrop Core 1.21.x versions prior to 1.21.4
- Backdrop Core 1.20.x versions prior to 1.20.7
Backdrop versions 1.19 and prior do not receive security coverage.