Date: 
Thursday, Nov 18th, 2021
Security risk: 
Moderately Critical
Advisory ID: 
BACKDROP-SA-CORE-2021-006
Vulnerability: 
Cross Site Scripting
Third Party Libraries
Versions affected: 
  • Backdrop Core 1.20.x versions prior to 1.20.2
  • Backdrop Core 1.19.x versions prior to 1.19.5

Backdrop versions 1.18 and prior do not receive security coverage.

Description: 

The Backdrop CMS project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Backdrop, along with a hotfix for that update.

Vulnerabilities are possible if Backdrop is configured to allow use of the CKEditor library for Rich-Text editing. An attacker that can create or edit content (even without access to the Editor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target other people who do have access to the Rich-Text Editor, including site admins with privileged access.

For more information, see CKEditor's security advisories.

Solution: 

Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.20.2 release page. See the update instructions, if needed.

Reported By: 
  • Jacek Bogdański coordinated on the release with Drupal project.
  • See the CKEditor announcements above for the original reporters of the vulnerabilities.
Fixed By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to backdropcms.org
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"