Date: 
Wednesday, Apr 17th, 2019
Security risk: 
Critical
Advisory ID: 
BACKDROP-SA-CONTRIB-2019-007
Vulnerability: 
Remote Code Execution
Versions affected: 
  • Tablefield 2.5.x versions prior to 2.5.4
Description: 

The tablefield module allows you to attach tabular data to an entity.

The module doesn't sufficiently determine that the data being unserialized is the contents of a tablefield when users request a CSV export, which could lead to Remote Code Execution via Object Injection.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission 'export tablefield', and be able to insert a payload into an entity's field.

Solution: 

Upgrade to the most recent version of the Tablefiield module. Download available on the Tablefield 1.x-2.5.4 release page. See the update instructions, if needed.

Reported By: 
Fixed By: 
Coordinated By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to backdropcms.org
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"