- Cross Site Scripting
- Access bypass
- Backdrop Core 1.x.x versions prior to 1.7.2
Access Bypass - Moderately Critical
When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view, however, many widely used contrib modules don't have access restrictions set on the default views they provide. Any view that does not have access controls on the default (master) display may be vulnerable. The vulnerability does not require any authentication to be exploited. A successful exploit results in some non-public data being made public.
Sites running versions of Backdrop prior to 1.x-1.7.2 should update immediately.
It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.
Upgrade your site to the latest version of Backdrop CMS. Download available at Backdrop CMS 1.7.2 release page. Update instructions are available at https://backdropcms.org/upgrade#from-previous-versions.
Access Bypass
- Klaus Purer
- Daniel Wehner
- Michael Hess of the Drupal Security Team
- Len Swaneveld
- Wim Leers
Cross Site Scripting
- Nate Lampton of the Backdrop CMS Security Team
- Jen Lampton
- Nate Lampton of the Backdrop CMS Security Team
- Geoff St Pierre of the Backdrop CMS Security Team