- Backdrop Core 1.15.x versions prior to 1.15.1
- Backdrop Core 1.14.x versions prior to 1.14.4
Backdrop versions 1.13 and prior do not receive security coverage.
Vulnerabilities are possible if Backdrop is configured to use the Rich-Text editor, CKEditor, for editing content. When multiple people can edit content, the vulnerability can be used to execute XSS attacks against other people, including site admins with more access.
The latest versions of Backdrop update CKEditor to 4.14 to mitigate the vulnerabilities.
- Nate Lampton of the Backdrop CMS Security Team