Advisory ID: 
BACKDROP-SA-CORE-2019-007
Date: 
Thursday, Mar 14th, 2019
Vulnerability: 
Cross Site Scripting
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.12.4

The Views module included in Backdrop core doesn't sufficiently sanitize certain field types, leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that a view must display a field with the format "Full data (serialized)" and an attacker must have the ability to store malicious markup in that field.

Additional information

Note: Backdrop issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Backdrop core:

Solution: 

Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.12.4 release page.  See the update instructions, if needed.

Reported By: 
Fixed By: 
Coordinated By: