Security Advisories

The Ubercart module provides a shopping cart and e-commerce features for Backdrop CMS.

The taxes module doesn't sufficiently protect the tax rate cloning feature. A malicious user could trick a store administrator into duplicating an existing tax rate by getting them to visit a specially-crafted URL.

This module provides a standardized solution for building API's so that external clients can communicate with Drupal.

The module doesn't sufficiently sanitize user input for entity index resources thus allowing SQL Injection attacks.

This vulnerability is mitigated by the fact that the Backdrop site must have an "index" resource(s) enabled under the Services endpoint configuration (admin/structure/services/list/MY-ENDPOINT/resources) and an attacker must know the endpoint's machine name.

Install the 1.x-3.0.3-beta version of the Services module for the fix, or simply disable any "index" resources to stop the attack vector.

This module enables a privileged user to specify the important part of an image for the purposes of cropping.

The module doesn't sufficiently sanitize certain form element attributes when the focal point widget is displayed on a form.

This vulnerability is mitigated by the fact that an attacker must have the ability to generate markup (e.g. with a field that accepts "filtered html") AND they must have permission to edit a node or entity whose add/edit form contains the focal point widget.

Link fields do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.

Note: A site is only affected by this if the site has a web services module enabled (like Services module) or exposes another API that allows content creation.

A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.

Some Backdrop code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability.

This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

.phar added to dangerous extensions list

The .phar file extension has been added to Backdrop's dangerous extensions list, which means that any such file uploaded to a Backdrop file field will automatically be converted to a text file (with the .txt extension) to prevent it from being executed. This is similar to how Backdrop handles file uploads with a .php extension.

Another SA was released today, see also:

• BACKDROP-SA-CORE-2019-001

Backdrop core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Backdrop configurations. Refer to CVE-2018-1000888 for details.

Another SA was released today, see also:

• BACKDROP-SA-CORE-2019-002

Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution

When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.

External URL injection through URL aliases - Moderately Critical - Open Redirect

The path module allows users with the 'administer paths' permission to create pretty URLs for content.

In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url.

The issue is mitigated by the fact that the user needs the `administer paths` permission to exploit.

Backdrop CMS doesn't sufficiently protect against XSS when allowing administrative users to define custom classes for blocks and regions. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer Layouts".

A remote code execution vulnerability exists within multiple subsystems of Backdrop. This potentially allows attackers to exploit multiple attack vectors on a Backdrop site, which could result in the site being compromised. This vulnerability is related to Backdrop core - Highly Critical - Remote Code Execution - BACKDROP-SA-CORE-2018-002. While BACKDROP-SA-CORE-2018-002 is being exploited in the wild, this vulnerability is not known to be in active exploitation as of this release.

CKEditor, a third-party JavaScript library included in Backdrop core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Backdrop core also uses).