Date: 
Wednesday, Aug 23rd, 2023
Advisory ID: 
BACKDROP-SA-CONTRIB-2023-005
Security risk: 
Critical
Vulnerability: 
Remote Code Execution
Versions affected: 
  • ACL versions prior to 1.x-1.4.0
Description: 

The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

As this is an API module, it is only exploitable if a "client" module exposes the vulnerability. Examples of some contributed client modules are given below. Custom modules using ACL could also expose the vulnerability.

This vulnerability is mitigated by the fact that an attacker typically needs an "admin"-type permission provided by one of ACL's client modules.

Known client modules include:

  • Forum Access
  • Content Access
  • Flexi Access (Drupal only)

Coordinated Security Advisories are being released for those client modules that have Security coverage.

Solution: 

Install the latest version:

  • If you use the ACL module for Backdrop 1.x, upgrade to ACL 1.x-1.4.0

Any client modules that depend on ACL should also be updated.

Reported By: 
Fixed By: 
Coordinated By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to backdropcms.org
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"