- Backdrop Core 1.12.x versions prior to 1.12.6
- Backdrop Core 1.11.x versions prior to 1.11.9
The jQuery project released version 3.4.0, and as part of that, disclosed a security vulnerability that affects all prior versions. As described in their release notes:
jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.
It's possible that this vulnerability is exploitable with some Backdrop modules. As a precaution, this Backdrop security release backports the fix to jQuery.extend(), without making any other changes to the jQuery version 1.12.4 that is included in Backdrop core.
Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.12.6 release page. See the update instructions, if needed.
- Alex Bronstein of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Jess of the Drupal Security Team
- Lauri Eskola
- Greg Knaddison of the Drupal Security Team
- Neil Drumm of the Drupal Security Team
- Samuel Mortenson of the Drupal Security Team
- Nate Lampton of the Backdrop CMS Security Team
- Jen Lampton of the Backdrop CMS Security Team
- Gregory Netsas of the Backdrop CMS Security Team