Date: 
Wednesday, Mar 25th, 2020
Security risk: 
Moderately Critical
Advisory ID: 
BACKDROP-SA-CORE-2020-001
Vulnerability: 
Third Party Libraries
Versions affected: 
  • Backdrop Core 1.15.x versions prior to 1.15.1
  • Backdrop Core 1.14.x versions prior to 1.14.4

Backdrop versions 1.13 and prior do not receive security coverage.

Description: 

The Backdrop project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Backdrop configurations.

Vulnerabilities are possible if Backdrop is configured to use the Rich-Text editor, CKEditor, for editing content. When multiple people can edit content, the vulnerability can be used to execute XSS attacks against other people, including site admins with more access.

The latest versions of Backdrop update CKEditor to 4.14 to mitigate the vulnerabilities.

Solution: 

Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.x.x release page. See the update instructions, if needed.

The CKEditor module can also be disabled to mitigate the vulnerability until the site is updated.

Fixed By: 
  • Nate Lampton of the Backdrop CMS Security Team

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to backdropcms.org
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"