Date: 
Wednesday, Mar 8th, 2017
Advisory ID: 
BACKDROP-SA-CONTRIB-2017-002
Security risk: 
Moderately Critical
Vulnerability: 
Information Disclosure
Versions affected: 
  • Metatag 0.x and 1.x versions prior to 1.21.0

Backdrop core is not affected. If you do not use the contributed Metatag module, there is nothing you need to do.

Description: 

This module enables you to add a variety of meta tags to a site for helping with a site's search engine results and to customize how content is shared on social networks.

The module doesn't sufficiently protect against data being cached that might contain information related to a specific user.

This vulnerability is mitigated by the fact that a site must have a page with sensitive data in the page title that varies per logged in user.

Solution: 

Install the latest version:

  • If you use the Metatag module for Backdrop 1.x, upgrade to Metatag 7.x-1.21.0 or later.
Reported By: 
Fixed By: 
Coordinated By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  1. Log in to backdropcms.org
  2. Edit your profile
  3. Switch to the "Subscriptions" tab
  4. Check the box labeled "Security updates"
  5. Save the form