Date: 
Thursday, Feb 28th, 2019
Advisory ID: 
BACKDROP-SA-CONTRIB-2019-001
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting
Versions affected: 
  • Focal Point 1.x.x versions prior to 1.1.1
Description: 

This module enables a privileged user to specify the important part of an image for the purposes of cropping.

The module doesn't sufficiently sanitize certain form element attributes when the focal point widget is displayed on a form.

This vulnerability is mitigated by the fact that an attacker must have the ability to generate markup (e.g. with a field that accepts "filtered html") AND they must have permission to edit a node or entity whose add/edit form contains the focal point widget.

Solution: 

Upgrade your site to the most recent version of Focal Point. Download available on the Focal Point 1.x.x release page.  See the update instructions, if needed.

Reported By: 
Fixed By: 
Coordinated By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  1. Log in to backdropcms.org
  2. Edit your profile
  3. Switch to the "Subscriptions" tab
  4. Check the box labeled "Security updates"
  5. Save the form