- Cross Site Scripting
- Third Party Libraries
- Backdrop Core 1.19.x versions prior to 1.19.3
- Backdrop Core 1.18.x versions prior to 1.18.7
Backdrop versions 1.17 and prior do not receive security coverage.
The Backdrop project uses the CKEditor library for Rich-Text editing. CKEditor has released a security update that impacts Backdrop.
Vulnerabilities are possible if Backdrop remains configured to use the CKEditor library for Rich-Text editing.
An attacker that can enter or edit content as formatted text (even without access to Rich-Text editor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target other people who have permission to use the Rich-Text editor on the same content, including site admins with privileged access.
If you're using the fakeobjects CKEditor plugin (not included with core) you will also want to update this.
Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.19.3 release page. See the update instructions, if needed.
- XSS vulnerability in Clipboard plugin reported by Anton Subbotin
- XSS vulnerability in Widget plugin reported by Anton Subbotin
- XSS vulnerability in Fake Objects plugin reported by Mika Kulmala
- Jess of the Drupal Security Team
- Jen Lampton of the Backdrop Security Team