- Backdrop Core 1.x.x versions prior to 1.12.4
The Views module included in Backdrop core doesn't sufficiently build queries when used with exposed filters, leading to a possible information disclosure vulnerability in certain rare circumstances.
This vulnerability is mitigated by the fact that a view must have an exposed filter on a field that is used on multiple entity types, both of which are included in the view.
Additional information
Note: Backdrop issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Backdrop core:
Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.12.4 release page. See the update instructions, if needed.
- Klaus Purer
- Lucas Hedding
- Greg Knaddison of the Drupal Security Team
- Aaron Zinck
- Daniel Wehner
- Damien McKenna of the Drupal Security Team
- Vijaya Chandran Mani
- Nate Lampton of the Backdrop Security Team
- Damien McKenna of the Drupal Security Team
- Jen Lampton of the Backdrop Security Team
- Gregory Netsas of the Backdrop Security Team