Advisory ID: 
BACKDROP-SA-CORE-2018-006
Date: 
Thursday, Oct 18th, 2018
Vulnerability: 
Remote Code Execution
Open Redirect
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.11.2

Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution

When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.

External URL injection through URL aliases - Moderately Critical - Open Redirect

The path module allows users with the 'administer paths' permission to create pretty URLs for content.

In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url.

The issue is mitigated by the fact that the user needs the `administer paths` permission to exploit.

Solution: 

Upgrade your site to the most recent version of Backdrop core.  Download available on the Backdrop CMS 1.11.2 release page.  See the update instructions, if needed.

Reported By: 
Fixed By: 
Coordinated By: