- Backdrop Core 1.13.x versions prior to 1.13.3
- Backdrop Core 1.12.x versions prior to 1.12.8
Backdrop CMS allows the upload of entire-site configuration archives through the user interface or command-line. Backdrop CMS does not sufficiently check uploaded archives for invalid data, allowing non-configuration scripts to potentially be uploaded to the server.
This attack is mitigated by the attacker needing the "Synchronize, import, and export configuration" permission, a permission that only trusted administrators should be given. Other preventative measures in Backdrop CMS prevent the execution of PHP scripts, so another server-side scripting language must be accessible on the server to execute code.
- Nate Lampton of the Backdrop CMS Security Team