Date: 
Wednesday, Aug 7th, 2019
Security risk: 
Critical
Advisory ID: 
BACKDROP-SA-CORE-2019-012
Vulnerability: 
Information Disclosure
Remote Code Execution
Versions affected: 
  • Backdrop Core 1.13.x versions prior to 1.13.3
  • Backdrop Core 1.12.x versions prior to 1.12.8

Backdrop CMS allows the upload of entire-site configuration archives through the user interface or command-line. Backdrop CMS does not sufficiently check uploaded archives for invalid data, allowing non-configuration scripts to potentially be uploaded to the server.

This attack is mitigated by the attacker needing the "Synchronize, import, and export configuration" permission, a permission that only trusted administrators should be given. Other preventative measures in Backdrop CMS prevent the execution of PHP scripts, so another server-side scripting language must be accessible on the server to execute code.

Solution: 

Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.13.3 release page. See the update instructions, if needed.

Fixed By: 
Coordinated By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to backdropcms.org
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"