Backdrop core - Moderately Critical - Cross Site Scripting - SA-CORE-2018-005

Date: 
Oct 10th, 2018
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

Backdrop CMS doesn't sufficiently protect against XSS when allowing administrative users to define custom classes for blocks and regions. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer Layouts".

Advisory ID: 
BACKDROP-SA-CORE-2018-005
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.11.1

Backdrop core - Critical - Remote Code Execution - SA-CORE-2018-004

Date: 
Apr 25th, 2018
Security risk: 
Critical
Vulnerability: 
Remote Code Execution

A remote code execution vulnerability exists within multiple subsystems of Backdrop. This potentially allows attackers to exploit multiple attack vectors on a Backdrop site, which could result in the site being compromised. This vulnerability is related to Backdrop core - Highly Critical - Remote Code Execution - BACKDROP-SA-CORE-2018-002. While BACKDROP-SA-CORE-2018-002 is being exploited in the wild, this vulnerability is not known to be in active exploitation as of this release.

Advisory ID: 
BACKDROP-SA-CORE-2018-004
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.9.5

Backdrop core - Moderately critical - Cross Site Scripting - SA-CORE-2018-003

Date: 
Apr 18th, 2018
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

CKEditor, a third-party JavaScript library included in Backdrop core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Backdrop core also uses).

Advisory ID: 
BACKDROP-SA-CORE-2018-003
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.9.4

Backdrop core - Highly Critical - Remote Code Execution - SA-CORE-2018-002

Date: 
Mar 28th, 2018
Security risk: 
Highly Critical
Vulnerability: 
Remote Code Execution

A remote code execution vulnerability exists within multiple subsystems of Backdrop 1.x. This potentially allows attackers to exploit multiple attack vectors on a Backdrop site, which could result in the site being completely compromised.  

This is a Highly Critical security advisory, which means:

  • How difficult is it for an attacker to leverage the vulnerability? Not difficult (attacker visits page).
  • What privilege level is required for an exploit to be successful? None (all users / anonymous users could be attackers).
  • Does this vulnerability cause non-public data to be accessible? Yes. All non-public data is accessible.
  • Can this exploit allow system data (or data handled by the system) to be compromised? Yes. All data can be modified or deleted.
  • Does a known exploit exist? A theoretical (or white-hat) exploit has been created, but no public exploit code or documentation on development exists, that we know of (we will update this post if that changes.)
  • What percentage of users are affected? Common configurations can make a site exploitable, but a configuration change could disable the exploit.

Please note on the last point that while a configuration change can theoretically mitigate the issue, it would have to be a drastic configuration change. The Security Team strongly recommends that the best solution is for sites to update to 1.9.3. 

Given the nature of the vulnerability, site owners should anticipate that exploits may be developed soon, and should update their sites immediately.

Advisory ID: 
BACKDROP-SA-CORE-2018-002
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.9.3

Backdrop core - Less Critical - Cross Site Scripting - SA-CORE-2018-001c

Date: 
Feb 21st, 2018
Security risk: 
Less Critical
Vulnerability: 
Cross Site Scripting

Backdrop core has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site.

Advisory ID: 
BACKDROP-SA-CORE-2018-001c
Versions affected: 
  • Backdrop Core versions prior to 1.9.2

Backdrop core - Moderately Critical - Cross Site Scripting -SA-CORE-2018-001b

Date: 
Feb 21st, 2018
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. This vulnerability affects sites using the version of jQuery bundled with Backdrop core (1.12.4), newer versions of jQuery are not affected.

Advisory ID: 
BACKDROP-SA-CORE-2018-001b
Versions affected: 
  • Backdrop Core versions prior to 1.9.2

Backdrop core - Critical - Moderately Critical -SA-CORE-2018-001a

Date: 
Feb 21st, 2018
Security risk: 
Moderately Critical
Vulnerability: 
Access bypass

When using Backdrop's private file system, Backdrop will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.

Advisory ID: 
BACKDROP-SA-CORE-2018-001a
Versions affected: 
  • Backdrop Core versions prior to 1.9.2

Backdrop core - Critical - Cross Site Scripting - SA-CORE-2018-001

Date: 
Feb 21st, 2018
Security risk: 
Critical
Vulnerability: 
Cross Site Scripting

JavaScript cross-site scripting prevention is incomplete - Critical

Backdrop has a Backdrop.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML. This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances.

The PHP functions which Backdrop provides for HTML escaping are not affected.

Advisory ID: 
BACKDROP-SA-CORE-2018-001
Versions affected: 
  • Backdrop Core versions prior to 1.9.2

FileField Sources - Moderately Critical - Information Disclosure - SA-CONTRIB-2018-001

Date: 
Feb 7th, 2018
Security risk: 
Moderately Critical
Vulnerability: 
Information Disclosure

This module enables you to upload files to fields via several sources.

The module doesn't sufficiently handle access control under the scenario of the autocomplete path of reference sources.

Advisory ID: 
BACKDROP-SA-CONTRIB-2018-001
Versions affected: 
  • FileField Sources module versions prior to 1.11.0

Captcha - Moderately Critical - Denial of Service - SA-CONTRIB-2017-010

Date: 
Sep 8th, 2017
Security risk: 
Moderately Critical
Vulnerability: 
Denial of Service

The Captcha module enables you to use various techniques to block automated scripts / robots from submitting content to a site, e.g. to block spam comments.

The module doesn't properly store the session ID of visitors who are given a session which could lead to a Denial of Service attack.

This vulnerability is mitigated by the fact that Backdrop does not give a session to all visitors, especially when used with advanced caching systems like Varnish.

Advisory ID: 
BACKDROP-SA-CONTRIB-2017-010
Versions affected: 
  • CAPTCHA 1.x-1.x versions prior to 1.x-1.3.5.

Backdrop core is not affected. If you do not use the contributed CAPTCHA module, there is nothing you need to do.

Pages