Advisory ID: 
BACKDROP-SA-CORE-2018-004
Vulnerability: 
Remote Code Execution
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.9.5

A remote code execution vulnerability exists within multiple subsystems of Backdrop. This potentially allows attackers to exploit multiple attack vectors on a Backdrop site, which could result in the site being compromised. This vulnerability is related to Backdrop core - Highly Critical - Remote Code Execution - BACKDROP-SA-CORE-2018-002. While BACKDROP-SA-CORE-2018-002 is being exploited in the wild, this vulnerability is not known to be in active exploitation as of this release.

Solution: 

Upgrade your site to the most recent version of Backdrop core.  Download available on the Backdrop CMS 1.9.5 release page.  See the update instructions, if needed.

  • If you are running 1.9.x, upgrade to Backdrop  1.9.5. (If you are unable to update immediately, you may apply the patch to fix the vulnerability until such time as you are able to completely update.)
  • If you are running 1.8.x, upgrade to Backdrop 1.8.4. (While Backdrop 1.8.x is no longer supported, and we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we are providing a releases for 1.8 that include this fix.)

This patch will only work if your site already has the fix from SA-CORE-2018-002 applied. (If your site does not have that fix, it may already be compromised.)

Reported By: 
Fixed By: 
Coordinated By: