Date:
Friday, Apr 10th, 2020
Advisory ID:
BACKDROP-SA-CONTRIB-2020-001
Security risk:
Critical
Vulnerability:
Arbitrary PHP code execution
CVE ID:
Versions affected:
- Feeds JSONPath Parser 1.x-1.0.0
Description:
Feeds JSONPath Parser has a dependency on the third party Library peekmo/jsonpath or Stefan Goessner's implementation of jsonpath, which when used with data that has not been sanatized allows arbitrary code to be run.
Vulnerabilities are possible if a user has permission to configure a feed, or the feed is configured such that a user with the access to the import form can alter a field mapping.
The latest version changes the dependency from the aforementioned libraries and changes it to flow/jsonpath, which does not require value sanitation for the same functionality.
Solution:
Upgrade your site to the most recent version of Feeds JSONPath Parser.
Reported By:
- generalredneck maintainer of the 7.x version.
- BWPanda creator of the original port to Backdrop CMS
Fixed By:
- generalredneck maintainer of the 7.x version.
- herbdool of the Backdrop CMS Bug Squad
Coordinated By:
- herbdool of the Backdrop CMS Bug Squad
- serundeputy of the Backdrop CMS Security Team