Date: 
Wednesday, Jan 19th, 2022
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.21.0
Description: 

There will be no additional Backdrop release today. The version of jQuery UI included in Backdrop CMS is up to date as of the latest Backdrop release, version 1.21.0, out January 15th, 2022.

Earlier versions of Backdrop core did not use the parts of the jQuery UI library that were affected by the following vulnerabilities. It is possible that they may still be exploitable with  contributed modules if they were to use those parts of the jQuery UI library. There are no known instances of this happening.

jQuery UI is a third-party library included in Backdrop CMS. This library was previously thought to be end-of-life.

Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issues that may affect Backdrop sites that have not yet updated to 1.21.0:

Note: All other vulnerabilities that were previously unaddressed in the version of jQuery UI included in Drupal 7 do not effect any version of Backdrop CMS.

Reported By: 
Fixed By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to backdropcms.org
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"