Backdrop core - Multiple Vulnerabilities - SA-CORE-2015-004

XSS injection in AJAX Framework

A vulnerability was found that allows a malicious user to perform an XSS attack by invoking Backdrop.ajax() on a whitelisted HTML element. This vulnerability is mitigated on sites that do not allow untrusted users to enter HTML.

XSS injection in Autocomplete

A cross-site scripting vulnerability was found in the autocomplete functionality of forms. The requested URL is not sufficiently sanitized. This vulnerability is mitigated by the fact that the malicious user must be allowed to upload files to the site.

SQL Injection

A vulnerability was found in the SQL comment filtering system which could allow a user with elevated permissions to inject malicious code in SQL comments. This vulnerability is mitigated by only be accessible to users with "administer views" permissions.

Value callbacks in Form API might run with untrusted input

A vulnerability was discovered in Backdrop's Form API that could allow file upload value callbacks to run with untrusted input, due to the order form token not being checked early enough. This vulnerability can be mitigated by not allowing untrusted users to upload files.

Information Disclosure of Node Titles in Menu Links

For a site that has removed the "access content" permission from anonymous users, the titles of nodes that are added to the main menu or another menu are still visible to anonymous users. This vulnerability is mitigated by the fact the site administrators must have added one or more nodes to a menu that is visible to anonymous users, and the site must not be using a node access module that would filter the nodes out from content listings for anonymous users.