Advisory ID: 
BACKDROP-SA-CORE-2018-003
Vulnerability: 
Cross Site Scripting
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.9.4

CKEditor, a third-party JavaScript library included in Backdrop core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Backdrop core also uses).

Solution: 

Upgrade your site to the most recent version of Backdrop core.  Download available on the Backdrop CMS 1.9.4 release page.  See the update instructions, if needed.

Reported By: 
Fixed By: 
Coordinated By: