Date: 
Thursday, Mar 14th, 2019
Security risk: 
Moderately Critical
Advisory ID: 
BACKDROP-SA-CORE-2019-006
Vulnerability: 
Information Disclosure
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.12.4

The Views module included in Backdrop core doesn't sufficiently build queries when used with exposed filters, leading to a possible information disclosure vulnerability in certain rare circumstances.

This vulnerability is mitigated by the fact that a view must have an exposed filter on a field that is used on multiple entity types, both of which are included in the view.

Additional information

Note: Backdrop issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Backdrop core:

Solution: 

Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.12.4 release page.  See the update instructions, if needed.

Reported By: 
Fixed By: 
Coordinated By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to backdropcms.org
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"