Date:
Thursday, Mar 14th, 2019
Advisory ID:
BACKDROP-SA-CORE-2019-007
Security risk:
Less Critical
Vulnerability:
Cross Site Scripting
Versions affected:
- Backdrop Core 1.12.x versions prior to 1.12.4
- Backdrop Core 1.11.x versions prior to 1.11.7
Description:
The Views module included in Backdrop core doesn't sufficiently sanitize certain field types, leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that a view must display a field with the format "Full data (serialized)" and an attacker must have the ability to store malicious markup in that field.
Additional information
Note: Backdrop issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Backdrop core:
Solution:
Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.12.4 release page. See the update instructions, if needed.
Reported By:
Fixed By:
- Ralf Stamm
- Damian Lee
- Daniel Wehner
- David Snopek of the Drupal Security Team
- Nate Lampton of the Backdrop Security Team
Coordinated By:
- Damien McKenna of the Drupal Security Team
- Jen Lampton of the Backdrop Security Team
- Gregory Netsas of the Backdrop Security Team