Security Advisories

Central Authentication Services (CAS) is a commonly used Single Sign-On protocol used by many universities and large organizations. 

The module includes a copy of the phpCAS library that is maintained by a third-party. Previous versions of this library may allow an attacker to gain unauthorized access to a user account in Backdrop. This release both includes and supports an updated version of the library that addresses this issue.

For more information concerning the exploit, please visit the following URL: https://github.com/apereo/phpCAS/security/advisories/GHSA-8q72-6qq8-xv64

The File (Field) Paths module extends the default functionality of Backdrop's core File module, by adding the ability to use entity-based tokens in destination paths and file names.

The module's default configuration could temporarily expose private files to anonymous visitors.

Important note: to fix the problem, database updates must be run in addition to updating the module.

It's possible to make a configuration change to mitigate this problem in the admin UI at /admin/config/media/file-system/filefield-paths - the temp file location should use either the temporary:// or private:// stream wrapper if uploaded files should not be exposed publicly.

This vulnerability is mitigated by the fact that an attacker must be able to guess the temporary path used for file upload.

Rate module provides flexible voting widgets for nodes and comments.

Rate module did not sufficiently check access for nodes and comments.

In some situations, the Image module does not correctly check access to image files that are not stored in the standard public files directory when generating derivative images using the image styles system.

Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability.

Some sites may require configuration changes following this security release. Review the Backdrop release notes if you have issues accessing files or image styles after updating.

The Backdrop project uses the CKEditor library for rich-text editing. CKEditor has released a security update that impacts Backdrop.

If a Backdrop site is configured to use CKEditor for rich-text editing, an attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities. Victims may be people who later edit that content using CKEditor, including site admins with privileged access.

For more information, see CKEditor's security advisories:

• CVE-2022-24728: HTML processing vulnerability allowing to execute JavaScript code
• CVE-2022-24729: Regular expression Denial of Service in dialog plugin

Backdrop CMS doesn't sufficiently sanitize certain interface text when adding links to existing content.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create content (nodes), files, user accounts, taxonomy terms, views, or layouts.

This module provides a very simple, mobile-friendly navigation toolbar.

The module doesn't sufficiently check for user-provided input.

This vulnerability is mitigated by the fact that an attacker must have the ability to post content using a text format (like the default "Filtered HTML" format) that won't filter out the exploit code.

Backdrop core's Form API has a vulnerability where certain forms in contributed or custom modules may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

The colorbox module is a light-weight, customizable lightbox plugin for jQuery that allows images or content can be displayed in a popup or modal "lightbox" above the current page.

Colorbox did not sufficiently sanitize urls, captions, or the title attribute in some situations.

This vulnerability is mitigated by the fact that your site must have enabled the Colorbox feature to use captions, title attributes, and/or external URLs in order to have been at risk. Additionally, an attacker must have had access to an unsanitized text format, or a format that was otherwise adapted to allow the use of colorboxes.

There will be no additional Backdrop release today. The version of jQuery UI included in Backdrop CMS is up to date as of the latest Backdrop release, version 1.21.0, out January 15th, 2022.

Earlier versions of Backdrop core did not use the parts of the jQuery UI library that were affected by the following vulnerabilities. It is possible that they may still be exploitable with  contributed modules if they were to use those parts of the jQuery UI library. There are no known instances of this happening.

jQuery UI is a third-party library included in Backdrop CMS. This library was previously thought to be end-of-life.

Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issues that may affect Backdrop sites that have not yet updated to 1.21.0:

• CVE-2021-41182: XSS in the altField option of the Datepicker widget
• CVE-2021-41183: XSS in *Text options of the Datepicker widget
• CVE-2021-41183: XSS in the of option of the .position() util

Note: All other vulnerabilities that were previously unaddressed in the version of jQuery UI included in Drupal 7 do not effect any version of Backdrop CMS.