Advisory ID: 
Cross Site Scripting
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.9.4

CKEditor, a third-party JavaScript library included in Backdrop core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Backdrop core also uses).


Upgrade your site to the most recent version of Backdrop core.  Download available on the Backdrop CMS 1.9.4 release page.  See the update instructions, if needed.

Reported By: 
Fixed By: 
Coordinated By: