- Backdrop Core 1.30.x versions prior to 1.30.2
- Backdrop Core 1.29.x versions prior to 1.29.4
Backdrop versions 1.28 and prior do not receive security coverage.
Backdrop CMS includes bulk operations for content that allow people to modify multiple nodes at once from the Manage Content page (admin/content). These bulk operations can also be added to other listings using Views.
A bug in the core Actions system allows some people to use bulk actions to modify some values that they would not have permission to modify when editing individual nodes.
This vulnerability is mitigated by the fact that an attacker must have permission to access the /admin/content page, or other custom views used to modify nodes.
In particular, the following bulk actions now require either the "Administer content" permission, or the "Bypass content access control" permission.
- Make content sticky
- Make content unsticky
- Promote content
- Remove promotion
- Publish content
- Unpublish content
- Delete content
Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.30.2 release page. See the update instructions, if needed.
- Jen Lampton of the Backdrop CMS Security Team
- Benji Fisher (benjifisher) of the Drupal Security Team
- jeff cardwell
- Mingsong (mingsong) Provisional Member of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team