Date: 
Wednesday, Feb 15th, 2023
Advisory ID: 
BACKDROP-SA-CONTRIB-2023-001
Security risk: 
Critical
Vulnerability: 
Cross Site Scripting
Versions affected: 
  • The borg theme versions prior to 1.x-1.1.19
Description: 

The borg theme does not sufficiently sanitize path arguments that are passed in via URL.

A CVE has been requested, and this page will be updated as soon as an official number has been issued.

Solution: 

Upgrade your site to the most recent version of the borg theme. Download available on the Borg 1.1.19 release page

Fixed By: 
Coordinated By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to backdropcms.org
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"