- Backdrop Core 1.30.x versions prior to 1.30.2
- Backdrop Core 1.29.x versions prior to 1.29.5
Backdrop versions 1.28 and prior do not receive security coverage.
Backdrop core Link field attributes may not be sufficiently sanitized in specialized scenarios, which can lead to a Cross Site Scripting vulnerability (XSS).
This vulnerability is not directly exploitable within core itself, nor are there any contributed modules that appear to exhibit the behavior. This is a security hardening to prevent such attacks in the future. This problem has not been reproducible without a specialized module.
Sites are not affected if they are not extending the Link field module in ways that provide the ability to input additional link attributes.
Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.30.2 release page. See the update instructions, if needed.
- Nate Lampton (quicksketch) of the Backdrop Security Team
- Benji Fisher (benjifisher) of the Drupal Security Team
- Bram Driesen (bramdriesen) Provisional Member of the Drupal Security Team
- Alex Bronstein (effulgentsia)
- Jen Lampton (jenlampton) Provisional Member of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Dave Long (longwave) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Joseph Zhao (pandaski) Provisional Member of the Drupal Security Team
- Adam G-H (phenaproxima)
- Samuel Mortenson (samuel.mortenson)
- Jess (xjm) of the Drupal Security Team
- Jen Lampton (jenlampton) of the Backdrop Security Team