Date:
Wednesday, Jun 17th, 2020
Advisory ID:
BACKDROP-SA-CORE-2020-004
Security risk:
Critical
Vulnerability:
Cross Site Request Forgery
CVE ID:
Versions affected:
- Backdrop Core 1.16.x versions prior to 1.16.2
- Backdrop Core 1.15.x versions prior to 1.15.4
Backdrop versions 1.14 and prior do not receive security coverage.
Description:
The Backdrop core Form API does not properly handle form input from cross-site requests, which can lead to other vulnerabilities.
Solution:
Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.16.2 release page. See the update instructions, if needed.
Reported By:
- Samuel Mortenson of the Drupal Security Team
- Dor Tumarkin
Fixed By:
- Greg Knaddison of the Drupal Security Team
- Samuel Mortenson of the Drupal Security Team
- Jess of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Angie Byron of the Drupal Security Team
- Peter Wolanin of the Drupal Security Team
- Daniel Wehner
- Dor Tumarkin
- Drew Webber of the Drupal Security Team
- Alex Pott of the Drupal Security Team
- David Snopek of the Drupal Security Team
- Jen Lampton of the Backdrop Security Team
Coordinated By:
- Jen Lampton of the Backdrop Security Team