Date: 
Wednesday, Mar 15th, 2023
Advisory ID: 
BACKDROP-SA-CORE-2023-004
Security risk: 
Moderately Critical
Vulnerability: 
Access bypass
Versions affected: 
  • Backdrop Core 1.24.x versions prior to 1.24.1
  • Backdrop Core 1.23.x versions prior to 1.23.2

Backdrop versions 1.22 and prior do not receive security coverage.

Description: 

Backdrop provides a page that outputs information from phpinfo() to assist with diagnosing issues with PHP configuration.

If an attacker was able to achieve an XSS exploit against a privileged user, they may be able to use this page to access sensitive information that could be used to escalate the attack.

This vulnerability is mitigated by the fact that a successful XSS exploit is also required in order to exploit this vulnerability.

Solution: 

Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.24.1 release page. See the update instructions, if needed.

Reported By: 
Fixed By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to backdropcms.org
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"