- Backdrop Core 1.29.x versions prior to 1.29.2
- Backdrop Core 1.28.x versions prior to 1.28.4
Backdrop versions 1.27 and prior do not receive security coverage.
Backdrop core contains a potential PHP Object Injection vulnerability that, if combined with another exploit, could lead to Remote Code Execution.
This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to unserialize(). There are no such known exploits in Backdrop core.
As part of the protection against this potential vulnerability, additional checks have been added to some of Backdrop core's database related code.
Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.29.2 release page. See the update instructions, if needed.
- Drew Webber of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Fabian Franz
- Juraj Nemec of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Dave Long of the Drupal Security Team
- Alex Pott of the Drupal Security Team
- Nate Lampton of the Backdrop CMS Security Team
- Juraj Nemec of the Drupal Security Team
- Benji Fisher of the Drupal Security Team
- xjm of the Drupal Security Team
- Jen Lampton of the Backdrop CMS Security Team