- Backdrop Core 1.12.x versions prior to 1.12.4
- Backdrop Core 1.11.x versions prior to 1.11.7
The Views module included in Backdrop core doesn't sufficiently sanitize certain field types, leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that a view must display a field with the format "Full data (serialized)" and an attacker must have the ability to store malicious markup in that field.
Note: Backdrop issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Backdrop core: