- Backdrop Core 1.17.x versions prior to 1.17.1
- Backdrop Core 1.16.x versions prior to 1.16.4
Backdrop versions 1.15 and prior do not receive security coverage.
The Backdrop AJAX API does not disable JSONP by default, which can lead to cross-site scripting.
This SA is equivalent to Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007
If you were previously relying on Backdrop's AJAX API to perform trusted JSONP requests, you'll either need to override the AJAX options to set
"jsonp: true", or you'll need to use the jQuery AJAX API directly.
If you are using jQuery's AJAX API for user-provided URLs in a contrib or custom module, you should review your code and set
"jsonp: false" where this is appropriate.
All Backdrop sites should also pass such URLs through the new
- Samuel Mortenson of the Drupal Security Team