Date:
Wednesday, Apr 21st, 2021
Advisory ID:
BACKDROP-SA-CORE-2021-002
Security risk:
Critical
Vulnerability:
Cross Site Scripting
Versions affected:
- Backdrop Core 1.18.x versions prior to 1.18.3
- Backdrop Core 1.17.x versions prior to 1.17.7
Backdrop versions 1.16 and prior do not receive security coverage.
Description:
Backdrop core's sanitization API fails to properly filter cross-site scripting under certain circumstances.
Not all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend all sites update to this release as soon as possible.
Solution:
Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.18.3 release page. See the update instructions, if needed.
Reported By:
Fixed By:
- Alex Pott of the Drupal Security Team
- Jasper Mattsson
- Michael Hess of the Drupal Security Team
- Wim Leers
- Heine of the Drupal Security Team
- Peter Wolanin of the Drupal Security Team
- Jess of the Drupal Security Team
- Samuel Mortenson of the Drupal Security Team
- nwellnhof
- Alex Bronstein of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Adam G-H
- Drew Webber of the Drupal Security Team
- Jen Lampton of the Backdrop CMS Security Team