Date: 
Thursday, Aug 12th, 2021
Security risk: 
Moderately Critical
Advisory ID: 
BACKDROP-SA-CORE-2021-005
Vulnerability: 
Cross Site Scripting
Third Party Libraries
Versions affected: 
  • Backdrop Core 1.19.x versions prior to 1.19.3
  • Backdrop Core 1.18.x versions prior to 1.18.7

Backdrop versions 1.17 and prior do not receive security coverage.

Description: 

The Backdrop project uses the CKEditor library for Rich-Text editing. CKEditor has released a security update that impacts Backdrop.

Vulnerabilities are possible if Backdrop remains configured to use the CKEditor library for Rich-Text editing. 

An attacker that can enter or edit content as formatted text (even without access to Rich-Text editor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target other people who have permission to use the Rich-Text editor on the same content, including site admins with privileged access.

If you're using the fakeobjects CKEditor plugin (not included with core) you will also want to update this.

Solution: 

Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.19.3 release page. See the update instructions, if needed.

Reported By: 
Fixed By: 
 
  • Jess of the Drupal Security Team
  • Jen Lampton of the Backdrop Security Team

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to backdropcms.org
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"