- Backdrop Core 1.x.x versions prior to 1.21.0
There will be no additional Backdrop release today. The version of jQuery UI included in Backdrop CMS is up to date as of the latest Backdrop release, version 1.21.0, out January 15th, 2022.
Earlier versions of Backdrop core did not use the parts of the jQuery UI library that were affected by the following vulnerabilities. It is possible that they may still be exploitable with contributed modules if they were to use those parts of the jQuery UI library. There are no known instances of this happening.
jQuery UI is a third-party library included in Backdrop CMS. This library was previously thought to be end-of-life.
Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issues that may affect Backdrop sites that have not yet updated to 1.21.0:
- CVE-2021-41182: XSS in the altField option of the Datepicker widget
- CVE-2021-41183: XSS in *Text options of the Datepicker widget
- CVE-2021-41183: XSS in the of option of the .position() util
Note: All other vulnerabilities that were previously unaddressed in the version of jQuery UI included in Drupal 7 do not effect any version of Backdrop CMS.
- Indigoxela for Backdrop CMS
- Drew Webber of the Drupal Security Team
- Alex Bronstein of the Drupal Security Team
- Lauri Eskola