Protected Pages - Moderately critical - Access bypass - BACKDROP-SA-CONTRIB-2025-016

Date: 
Aug 29th, 2025
Security risk: 
Moderately Critical
Vulnerability: 
Access bypass

The Protected Pages module module allows you to protect individual pages with a password.

The module doesn't limit the number of password attempts, making it vulnerable to brute force attacks.

This vulnerability is mitigated by the fact that an attacker must know the protected page's URL.

Advisory ID: 
BACKDROP-SA-CONTRIB-2025-016
Versions affected: 
  • Protected pages module, all versions prior to 1.x-2.4.1.

Module filter - Less Critical - Third Party Libraries - BACKDROP-SA-CONTRIB-2025-015

Date: 
Aug 25th, 2025
Security risk: 
Less Critical
Vulnerability: 
Third Party Libraries

Module filter module included an older version of the jQuery BBQ library, which contained a security vulnerability.

The risk may be mitigated by users needing to have access to this module that would be restricted to the administrator role.

 

Note: Backdrop security releases are usually made on Wednesdays. This release was accidentally created out of band.

 

Advisory ID: 
BACKDROP-SA-CONTRIB-2025-015
Versions affected: 
  • All module filter versions prior to 1.x-2.2.3

GLightbox - Moderately Critical - Cross Site Scripting - BACKDROP-SA-CONTRIB-2025-014

Date: 
Jun 26th, 2025
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

GLightbox module provides integration with the GLightbox library, a JavaScript lightbox for images.

The module doesn't sufficiently sanitize text provided to the GLightbox JavaScript library, leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permissions to edit content that is configured to support the Glightbox library.

Advisory ID: 
BACKDROP-SA-CONTRIB-2025-014
Versions affected: 
  • GLightbox all versions prior to 1.x-1.0.3

GDPR Cookies - Less critical - Cross Site Scripting - SA-CONTRIB-2025-013

Date: 
May 6th, 2025
Security risk: 
Less Critical
Vulnerability: 
Cross Site Scripting

GDPR Cookies is a module that helps to meet GDPR requirements by blocking third party services that set cookies unless and until the user consents. 

The module doesn't sufficiently protect visitors from Cross Site Scripting if a malicious value has been provided for the optional 'Info content' field for the YouTube service.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service", and a site must have added a YouTube service as configuration. 

 

A CVE has been requested, and this page will be updated as soon as an official number has been issued.

Advisory ID: 
SA-CONTRIB-2025-013
Versions affected: 
  • GDPR Cookies all versions prior to 1.x-1.3.5

Colorbox - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-012

Date: 
Apr 23rd, 2025
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

Colorbox is a module that allows Images, and iframed or inline content to be displayed in a modal above the current page.

The Colorbox module doesn't sufficiently sanitize data attributes before opening modals.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.

 

Advisory ID: 
BACKDROP-SA-CONTRIB-2025-012
Versions affected: 
  • Colorbox all versions prior to 1.x-2.17.3

Flag - Moderately critical - Cross Site Scripting - BACKDROP-SA-CONTRIB-2025-011

Date: 
Apr 16th, 2025
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

Flag module allows flags to be added to nodes, comments, users, and any other type of entity.

The module doesn't verify flag links before performing the flag action, or verify that the response returned was provided by the flag module. This can allow specially crafted HTML to result in Cross Site Scripting.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create links on the website, for example: create or edit comments or content with a filtered text format.

 

Advisory ID: 
BACKDROP-SA-CONTRIB-2025-011
Versions affected: 
  • Flag versions prior to 1.x-3.6.2

GDPR Cookies - Moderately critical - Cross Site Scripting - BACKDROP-SA-CONTRIB-2025-010

Date: 
Apr 8th, 2025
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

The GDPR cookies module enables sites to comply with the European cookie law using tarteaucitron.js.

The module doesn't sufficiently filter user-supplied markup inside of content leading to a persistent Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to insert specific data attributes.

Advisory ID: 
BACKDROP-SA-CONTRIB-2025-010
Versions affected: 
  • GDPR cookies versions prior to 1.x-1.3.4

Chosen - Less critical - Cross Site Scripting - BACKDROP-SA-CONTRIB-2025-008

Date: 
Apr 2nd, 2025
Security risk: 
Less Critical
Vulnerability: 
Cross Site Scripting

The chosen module contains a library with known vulnerabilities:

The Chosen JavaScript library for making long, unwieldy select boxes more user friendly. This library did not properly sanitize <code>optgroup</code> labels. 

This vulnerability is mitigated by the fact that an attacker must have the ability to enter <code>optgroup</code> labels. This action and would require a contrib or custom solution. 

 

Advisory ID: 
BACKDROP-SA-CONTRIB-2025-008
Versions affected: 
  • Chosen module versions prior to 1.x-2.1.3

SpamSpan Filter - Moderately critical - Cross Site Scripting - BACKDROP-SA-CONTRIB-2025-009

Date: 
Apr 2nd, 2025
Security risk: 
Moderately Critical
Vulnerability: 
Cross Site Scripting

This module enables your site to obfuscate Email addresses and prevent spambots to collect them.

The module doesn't sanitize HTML data attributes when an email address link is transformed to separate span HTML elements and then transformed back by JavaScript leading to a Cross Site Scripting (XSS) vulnerability.

This is mitigated by the fact an attacker must be able to insert span HTML elements with data attributes in the page.

See https://www.drupal.org/sa-contrib-2025-016.

A CVE has been requested, and this page will be updated as soon as an official number has been issued.

Advisory ID: 
BACKDROP-SA-CONTRIB-2025-009
Versions affected: 
  • SpamSpan module versions < 1.3.2

Backdrop core - Less critical - Cross Site Scripting - BACKDROP-SA-CORE-2025-004

Date: 
Mar 19th, 2025
Security risk: 
Less Critical
Vulnerability: 
Cross Site Scripting

Backdrop core Link field attributes may not be sufficiently sanitized in specialized scenarios, which can lead to a Cross Site Scripting vulnerability (XSS).

This vulnerability is not directly exploitable within core itself, nor are there any contributed modules that appear to exhibit the behavior. This is a security hardening to prevent such attacks in the future. This problem has not been reproducible without a specialized module. 

Sites are not affected if they are not extending the Link field module in ways that provide the ability to input additional link attributes.

Advisory ID: 
BACKDROP-SA-CORE-2025-004
Versions affected: 
  • Backdrop Core 1.30.x versions prior to 1.30.2
  • Backdrop Core 1.29.x versions prior to 1.29.5

Backdrop versions 1.28 and prior do not receive security coverage.

Pages