Security Advisories

The Views module included in Backdrop core doesn't sufficiently protect against argument definitions failing.

This vulnerability is mitigated by the fact that a view must have custom PHP code used as a field validator.

Additional information

Note: Backdrop issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Backdrop core:

• BACKDROP-SA-CORE-2019-005
• BACKDROP-SA-CORE-2019-006
• BACKDROP-SA-CORE-2019-007

This module addresses the General Data Protection Regulation (GDPR) that came into effect 25th May 2018, and the EU Directive on Privacy and Electronic Communications from 2012. It provides a banner where you can gather consent from the user when the website stores cookies on their computer or otherwise handles their personal information.

The module doesn't sufficiently sanitize data for some interface labels and strings shown in the cookie policy banner, opening up possibility of Cross Site Scripting exploits that can be created by somebody that has access to the admin interface of the module.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer EU Cookie Compliance banner".

The Ubercart module provides a shopping cart and e-commerce features for Backdrop CMS.

The taxes module doesn't sufficiently protect the tax rate cloning feature. A malicious user could trick a store administrator into duplicating an existing tax rate by getting them to visit a specially-crafted URL.

This module provides a standardized solution for building API's so that external clients can communicate with Drupal.

The module doesn't sufficiently sanitize user input for entity index resources thus allowing SQL Injection attacks.

This vulnerability is mitigated by the fact that the Backdrop site must have an "index" resource(s) enabled under the Services endpoint configuration (admin/structure/services/list/MY-ENDPOINT/resources) and an attacker must know the endpoint's machine name.

Install the 1.x-3.0.3-beta version of the Services module for the fix, or simply disable any "index" resources to stop the attack vector.

This module enables a privileged user to specify the important part of an image for the purposes of cropping.

The module doesn't sufficiently sanitize certain form element attributes when the focal point widget is displayed on a form.

This vulnerability is mitigated by the fact that an attacker must have the ability to generate markup (e.g. with a field that accepts "filtered html") AND they must have permission to edit a node or entity whose add/edit form contains the focal point widget.

Link fields do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.

Note: A site is only affected by this if the site has a web services module enabled (like Services module) or exposes another API that allows content creation.

A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.

Some Backdrop code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability.

This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

.phar added to dangerous extensions list

The .phar file extension has been added to Backdrop's dangerous extensions list, which means that any such file uploaded to a Backdrop file field will automatically be converted to a text file (with the .txt extension) to prevent it from being executed. This is similar to how Backdrop handles file uploads with a .php extension.

Another SA was released today, see also:

• BACKDROP-SA-CORE-2019-001

Backdrop core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Backdrop configurations. Refer to CVE-2018-1000888 for details.

Another SA was released today, see also:

• BACKDROP-SA-CORE-2019-002

Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution

When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.

External URL injection through URL aliases - Moderately Critical - Open Redirect

The path module allows users with the 'administer paths' permission to create pretty URLs for content.

In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url.

The issue is mitigated by the fact that the user needs the `administer paths` permission to exploit.

Backdrop CMS doesn't sufficiently protect against XSS when allowing administrative users to define custom classes for blocks and regions. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer Layouts".