- Backdrop Core 1.16.x versions prior to 1.16.1
- Backdrop Core 1.15.x versions prior to 1.15.3
Backdrop versions 1.14 and prior do not receive security coverage.
Backdrop CMS has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL.
The vulnerability is caused by insufficient validation of the
destination query parameter in the
- Jen Lampton of the Backdrop CMS Security Team