- Backdrop Core 1.19.x versions prior to 1.19.3
- Backdrop Core 1.18.x versions prior to 1.18.7
Backdrop versions 1.17 and prior do not receive security coverage.
The Backdrop project uses the CKEditor library for Rich-Text editing. CKEditor has released a security update that impacts Backdrop.
Vulnerabilities are possible if Backdrop remains configured to use the CKEditor library for Rich-Text editing.
An attacker that can enter or edit content as formatted text (even without access to Rich-Text editor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target other people who have permission to use the Rich-Text editor on the same content, including site admins with privileged access.
If you're using the fakeobjects CKEditor plugin (not included with core) you will also want to update this.
- Jess of the Drupal Security Team
- Jen Lampton of the Backdrop Security Team