Date:
Wednesday, Feb 21st, 2018
Advisory ID:
BACKDROP-SA-CORE-2018-001
Security risk:
Critical
Vulnerability:
Cross Site Scripting
CVE ID:
Versions affected:
- Backdrop Core versions prior to 1.9.2
Description:
JavaScript cross-site scripting prevention is incomplete - Critical
Backdrop has a Backdrop.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML. This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances.
The PHP functions which Backdrop provides for HTML escaping are not affected.
Solution:
Upgrade your site to the latest version of Backdrop CMS. Download available at Backdrop CMS download page. Update instructions are available at https://backdropcms.org/upgrade#from-previous-versions.
Reported By:
Fixed By:
-
Heine Deelstra of the Drupal Security Team
-
Peter Wolanin of the Drupal Security Team
-
David Rothstein of the Drupal Security Team
-
Jess of the Drupal Security Team
-
Cash Williams of the Drupal Security Team
-
Nate Lampton of the Backdrop Security Team
Coordinated By:
- Jess of the Drupal Security Team
- Michael Hess of the Drupal Security Team
-
Nate Lampton of the Backdrop Security Team