Date:
Wednesday, Feb 20th, 2019
Advisory ID:
BACKDROP-SA-CORE-2019-003
Security risk:
Critical
Vulnerability:
Remote Code Execution
Versions affected:
- Backdrop Core 1.x versions prior to versions 1.12.2 and 1.11.5.
Versions of Backdrop CMS prior to 1.11.x do not receive security coverage.
Description:
Link fields do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.
Note: A site is only affected by this if the site has a web services module enabled (like Services module) or exposes another API that allows content creation.
Solution:
Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.12.3 release page. See the update instructions, if needed.
Reported By:
- Samuel Mortenson of the Drupal Security Team
Fixed By:
- Nate Lampton of the Backdrop CMS Security Team
- Sascha Grossenbacher
- Peter Wolanin of the Drupal Security Team
- Samuel Mortenson of the Drupal Security Team
- Daniel Wehner
- Cash Williams of the Drupal Security Team
- Wim Leers
- Jess of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Alex Pott of the Drupal Security Team
- Francesco Placella
- Damian Lee
- Tobias Zimmermann
- Ted Bowman
- Damien McKenna of the Drupal Security Team
- Alex Bronstein of the Drupal Security Team
- Rob Loach
- Gabe Sullice
- Michael Hess of the Drupal Security Team
- Neil Drumm of the Drupal Security Team
- Heshan Wanigasooriya
- David Snopek of the Drupal Security Team
- Wolfgang Ziegler
- Miro Dietiker
- Truls S. Yggeseth
Coordinated By:
- Jen Lampton of the Backdrop CMS Security Team
- Gregory Netsas