Date: 
Wednesday, May 20th, 2020
Security risk: 
Moderately Critical
Advisory ID: 
BACKDROP-SA-CORE-2020-002
Vulnerability: 
Cross Site Scripting
Versions affected: 
  • Backdrop Core 1.16.x versions prior to 1.16.1
  • Backdrop Core 1.15.x versions prior to 1.15.3

Backdrop versions 1.14 and prior do not receive security coverage.

Description: 

The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are

[...] security issues in jQuery’s DOM manipulation methods, as in .html().append(), and the others. Security advisories for both of these issues have been published on GitHub.

Those advisories are:

These vulnerabilities may be exploitable on some Backdrop sites. This security release backports the fixes to the relevant jQuery functions without making any other changes to the jQuery version that is included in core, or running on the site via some other module such as jQuery Update. It is not necessary to update jquery_update on sites that have the module installed.

Backwards-compatibility code has also been added to minimize regressions to sites that might rely on jQuery's prior behavior. With jQuery 3.5, incorrect self-closing HTML tags in JavaScript for elements where end tags are normally required will encounter a change in what jQuery returns or inserts. To minimize that disruption, this security release retains jQuery's prior behavior for most safe tags. There may still be regressions for edge cases, including invalidly self-closed custom elements on Internet Explorer.

If you find a regression caused by the jQuery changes, please report it in Backdrop core's issue queue (or that of the relevant contrib project). However, if you believe you have found a security issue, please report it privately to the Backdrop Security Team.

Solution: 

Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.16.1 release page. See the update instructions, if needed.

Reported By: 
Fixed By: 
Coordinated By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to backdropcms.org
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"