Date: 
Friday, Apr 10th, 2020
Security risk: 
Critical
Advisory ID: 
BACKDROP-SA-CONTRIB-2020-001
Vulnerability: 
Arbitrary PHP code execution
Versions affected: 
  • Feeds JSONPath Parser 1.x-1.0.0
Description: 

Feeds JSONPath Parser has a dependency on the third party Library peekmo/jsonpath or Stefan Goessner's implementation of jsonpath, which when used with data that has not been sanatized allows arbitrary code to be run.

Vulnerabilities are possible if a user has permission to configure a feed, or the feed is configured such that a user with the access to the import form can alter a field mapping.

The latest version changes the dependency from the aforementioned libraries and changes it to flow/jsonpath, which does not require value sanitation for the same functionality.

Solution: 
Reported By: 
Fixed By: 
Coordinated By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to backdropcms.org
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"