Advisory ID: 
BACKDROP-SA-CORE-2018-001
Vulnerability: 
Cross Site Scripting
Access bypass
Multiple vulnerabilities
Versions affected: 
  • Backdrop Core versions prior to 1.9.2

JavaScript cross-site scripting prevention is incomplete - Critical

Backdrop has a Backdrop.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML. This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances.

The PHP functions which Backdrop provides for HTML escaping are not affected.

Private file access bypass - Moderately Critical

When using Backdrop's private file system, Backdrop will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.

jQuery vulnerability with untrusted domains - Moderately Critical

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. This vulnerability affects sites using the version of jQuery bundled with Backdrop core (1.12.4), newer versions of jQuery are not affected.

External link injection on 404 pages when linking to the current page - Less Critical

Backdrop core has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site.

Solution: 

Upgrade your site to the latest version of Backdrop CMS. Download available at Backdrop CMS download page. Update instructions are available at https://backdropcms.org/upgrade#from-previous-versions.

Reported By: 
  • JavaScript cross-site scripting prevention is incomplete - Critical
  • Private file access bypass - Moderately Critical
  • jQuery vulnerability with untrusted domains - Moderately Critical
  • External link injection on 404 pages when linking to the current page - Less Critical
Fixed By: 
Coordinated By: