Advisory ID: 
BACKDROP-SA-CORE-2017-004
Vulnerability: 
Access bypass
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.6.2

Access bypass via views of taxonomy terms

The Backdrop core module Views allows site builders to create listings of various data in the Backdrop database.

The Views module fails to add the required query tags to listings of Taxonomy Terms, which could cause private data stored on Taxonomy Terms to be leaked to users without permission to view it.

This is mitigated by the fact that a View must exist that lists Taxonomy Terms which contain private data. If all the data on Taxonomy Terms is public or there are no applicable Views, then your site is unaffected.

Access bypass via views bulk operations on user accounts

The Backdrop core user account listing allows administration of user accounts. The bulk operation on this page that allows additional roles to be added to accounts also allowed a user to promote themselves beyond their intended access. 

This is mitigated by the fact that a user must already have permission to view the user account page in order to have access to the bulk operation.

Solution: 

Upgrade your site to the latest version of Backdrop CMS. Download available at Backdrop CMS 1.X.X release page. Update instructions are available at https://backdropcms.org/upgrade#from-previous-versions.

Reported By: 
Fixed By: 
Coordinated By: