Advisory ID: 
BACKDROP-SA-CORE-2017-009
Vulnerability: 
Cross Site Scripting
Access bypass
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.7.2

Access Bypass - Moderately Critical

When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view, however, many widely used contrib modules don't have access restrictions set on the default views they provide. Any view that does not have access controls on the default (master) display may be vulnerable. The vulnerability does not require any authentication to be exploited. A successful exploit results in some non-public data being made public.

Sites running versions of Backdrop prior to 1.x-1.7.2 should update immediately.

It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.

Cross Site Scripting - Moderately Critical
 
When creating a content type, administrators can define a Human-readable name for the type of content. The system did not filter this administrator-provided text before displaying it to the user on the Manage Displays page, creating a Cross Site Scripting (XSS) vulnerability. 
 
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer content types".
Solution: 

Upgrade your site to the latest version of Backdrop CMS. Download available at Backdrop CMS 1.7.2 release page. Update instructions are available at https://backdropcms.org/upgrade#from-previous-versions.

Reported By: 

Access Bypass

Cross Site Scripting

Fixed By: 

Access Bypass

Cross Site Scripting

Coordinated By: