Security Advisories

Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

The Views module included in Backdrop core doesn't sufficiently sanitize certain field types, leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that a view must display a field with the format "Full data (serialized)" and an attacker must have the ability to store malicious markup in that field.

Additional information

Note: Backdrop issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Backdrop core:

• BACKDROP-SA-CORE-2019-005
• BACKDROP-SA-CORE-2019-006
• BACKDROP-SA-CORE-2019-007

The Views module included in Backdrop core doesn't sufficiently build queries when used with exposed filters, leading to a possible information disclosure vulnerability in certain rare circumstances.

This vulnerability is mitigated by the fact that a view must have an exposed filter on a field that is used on multiple entity types, both of which are included in the view.

Additional information

Note: Backdrop issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Backdrop core:

• BACKDROP-SA-CORE-2019-005
• BACKDROP-SA-CORE-2019-006
• BACKDROP-SA-CORE-2019-007

The Views module included in Backdrop core doesn't sufficiently protect against argument definitions failing.

This vulnerability is mitigated by the fact that a view must have custom PHP code used as a field validator.

Additional information

Note: Backdrop issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Backdrop core:

• BACKDROP-SA-CORE-2019-005
• BACKDROP-SA-CORE-2019-006
• BACKDROP-SA-CORE-2019-007

This module addresses the General Data Protection Regulation (GDPR) that came into effect 25th May 2018, and the EU Directive on Privacy and Electronic Communications from 2012. It provides a banner where you can gather consent from the user when the website stores cookies on their computer or otherwise handles their personal information.

The module doesn't sufficiently sanitize data for some interface labels and strings shown in the cookie policy banner, opening up possibility of Cross Site Scripting exploits that can be created by somebody that has access to the admin interface of the module.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer EU Cookie Compliance banner".

The Ubercart module provides a shopping cart and e-commerce features for Backdrop CMS.

The taxes module doesn't sufficiently protect the tax rate cloning feature. A malicious user could trick a store administrator into duplicating an existing tax rate by getting them to visit a specially-crafted URL.

This module provides a standardized solution for building API's so that external clients can communicate with Drupal.

The module doesn't sufficiently sanitize user input for entity index resources thus allowing SQL Injection attacks.

This vulnerability is mitigated by the fact that the Backdrop site must have an "index" resource(s) enabled under the Services endpoint configuration (admin/structure/services/list/MY-ENDPOINT/resources) and an attacker must know the endpoint's machine name.

Install the 1.x-3.0.3-beta version of the Services module for the fix, or simply disable any "index" resources to stop the attack vector.

This module enables a privileged user to specify the important part of an image for the purposes of cropping.

The module doesn't sufficiently sanitize certain form element attributes when the focal point widget is displayed on a form.

This vulnerability is mitigated by the fact that an attacker must have the ability to generate markup (e.g. with a field that accepts "filtered html") AND they must have permission to edit a node or entity whose add/edit form contains the focal point widget.

Link fields do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.

Note: A site is only affected by this if the site has a web services module enabled (like Services module) or exposes another API that allows content creation.

A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.

Some Backdrop code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability.

This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

.phar added to dangerous extensions list

The .phar file extension has been added to Backdrop's dangerous extensions list, which means that any such file uploaded to a Backdrop file field will automatically be converted to a text file (with the .txt extension) to prevent it from being executed. This is similar to how Backdrop handles file uploads with a .php extension.

Another SA was released today, see also:

• BACKDROP-SA-CORE-2019-001