Date: 
Wednesday, Mar 15th, 2017
Advisory ID: 
BACKDROP-SA-CORE-2017-004
Security risk: 
Moderately Critical
Vulnerability: 
Access bypass
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.6.2
Description: 

Access bypass via views of taxonomy terms

The Backdrop core module Views allows site builders to create listings of various data in the Backdrop database.

The Views module fails to add the required query tags to listings of Taxonomy Terms, which could cause private data stored on Taxonomy Terms to be leaked to users without permission to view it.

This is mitigated by the fact that a View must exist that lists Taxonomy Terms which contain private data. If all the data on Taxonomy Terms is public or there are no applicable Views, then your site is unaffected.

Access bypass via views bulk operations on user accounts

The Backdrop core user account listing allows administration of user accounts. The bulk operation on this page that allows additional roles to be added to accounts also allowed a user to promote themselves beyond their intended access. 

This is mitigated by the fact that a user must already have permission to view the user account page in order to have access to the bulk operation.

Solution: 

Upgrade your site to the latest version of Backdrop CMS. Download available at Backdrop CMS 1.X.X release page. Update instructions are available at https://backdropcms.org/upgrade#from-previous-versions.

Reported By: 
Fixed By: 
Coordinated By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  1. Log in to backdropcms.org
  2. Edit your profile
  3. Switch to the "Subscriptions" tab
  4. Check the box labeled "Security updates"
  5. Save the form