Advisory ID: 
BACKDROP-SA-CORE-2015-004
Vulnerability: 
Cross Site Scripting
Cross Site Request Forgery
SQL Injection
Information Disclosure
Multiple vulnerabilities
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.1.3

XSS injection in AJAX Framework

A vulnerability was found that allows a malicious user to perform an XSS attack by invoking Backdrop.ajax() on a whitelisted HTML element.

This vulnerability is mitigated on sites that do not allow untrusted users to enter HTML.

XSS injection in Autocomplete

A cross-site scripting vulnerability was found in the autocomplete functionality of forms. The requested URL is not sufficiently sanitized.

This vulnerability is mitigated by the fact that the malicious user must be allowed to upload files to the site.

SQL Injection

A vulnerability was found in the SQL comment filtering system which could allow a user with elevated permissions to inject malicious code in SQL comments.

This vulnerability is mitigated by only be accessible to users with "administer views" permissions.

Value callbacks in Form API might run with untrusted input

A vulnerability was discovered in Backdrop's Form API that could allow file upload value callbacks to run with untrusted input, due to the order form token not being checked early enough.

This vulnerability can be mitigated by not allowing untrusted users to upload files.

Information Disclosure of Node Titles in Menu Links

For a site that has removed the "access content" permission from anonymous users, the titles of nodes that are added to the main menu or another menu are still visible to anonymous users.

This vulnerability is mitigated by the fact the site administrators must have added one or more nodes to a menu that is visible to anonymous users, and the site must not be using a node access module that would filter the nodes out from content listings for anonymous users.

Solution: 

Upgrade your site to the latest version of Backdrop CMS.

Download available at Backdrop CMS 1.1.3 release page. Update instructions are available at https://backdropcms.org/upgrade#from-previous-versions.

Reported By: 

XSS injection in AJAX Framework:

XSS injection in Autocomplete:

SQL Injection:

Value callbacks in Form API might run with untrusted input:

Information Disclosure of Node Titles in Menu Links:

Fixed By: 

XSS injection in AJAX Framework:

XSS injection in Autocomplete:

SQL Injection:

Value callbacks in Form API might run with untrusted input:

Information Disclosure of Node Titles in Menu Links:

Coordinated By: