- Access bypass
- Arbitrary PHP code execution
- Backdrop Core 1.33.x versions prior to 1.33.2
- Backdrop Core 1.32.x versions prior to 1.32.3
- Backdrop versions 1.31 and prior do not receive security coverage.
Backdrop allows administrators to upload certain files that could be executable. The vulnerability is mitigated by the fact that it requires administrator level access, and in most server configurations, execution of uploaded files is disabled by the server or the .htaccess files created by Backdrop. In the most recent release, a hardening of file types that may not be uploaded and directories that may not be uploaded to will help prevent administrators from accidentally writing into system directories. The list of unsafe extensions is expanded significantly to further reduce the chances of uploaded files from being executed.
Because this configuration already requires administrator-level permissions, the improvements in the latest release is considered a security hardening and not exploitable by unprivileged user accounts.
Upgrade your site to the most recent version of Backdrop core. Download the latest release from the Backdrop CMS Releases or use the built-in updater to self-update. See the update instructions, if needed.
- Jean-Nicolas Turbis
- Nate Lampton of the Backdrop CMS Security Team
- Nate Lampton of the Backdrop CMS Security Team
- Jen Lampton of the Backdrop CMS Security Team
- Laryn Kragt Bakker of the Backdrop CMS Security Team