Date:
Wednesday, Feb 21st, 2018
Advisory ID:
BACKDROP-SA-CORE-2018-001b
Security risk:
Moderately Critical
Vulnerability:
Cross Site Scripting
CVE ID:
Versions affected:
- Backdrop Core versions prior to 1.9.2
Description:
A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. This vulnerability affects sites using the version of jQuery bundled with Backdrop core (1.12.4), newer versions of jQuery are not affected.
Solution:
Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.9.2 release page. See the update instructions, if needed.
Reported By:
Fixed By:
- Chris McCafferty of the Drupal Security Team
- Matthew Grill
- will c
- David Rothstein of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Jess of the Drupal Security Team
- Alex Bronstein of the Drupal Security Team
- Nate Lampton of the Backdrop Security Team
Coordinated By:
- Jess of the Drupal Security Team
- Michael Hess of the Drupal Security Team
- Nate Lampton of the Backdrop Security Team