Security Advisories

Layout access bypass

The core Layout module incorrectly stores contextual information in a cache that may result in cached contexts being served in the wrong situations. This may result in blocks or layouts that are limited to a specific user role or permission being shown to non-privileged accounts. This vulnerability is mitigated by the fact that an administrator must have configured a layout or block must use contextual access control. By default, all blocks and layouts have no access restrictions.

Views open redirect vulnerability

The core Views UI module does not sanitize user provided URLs when processing the page to break the lock on Views being edited, thereby exposing a phishing attack vector. This vulnerability is mitigated by the fact that the Views UI submodule must be enabled.

Views access bypass vulnerability

The core Views module does not protect the default Views configurations sufficiently, thereby exposing possibly protected information to unprivileged users. This vulnerability is mitigated by the fact that it only affects sites that have not granted the common "access content" or "access comments" permission to untrusted users. Furthermore, these default views configurations are disabled by default and must be enabled by an administrator.

There will be a security release of Backdrop 1.9.x, and 1.8.x on April 25th, 2018 between 16:00 - 18:00 UTC. For all security updates, the Security Team urges you to reserve time for core updates at that time because exploits might be developed within days or even hours. Security release announcements will appear here, on the Backdrop security page.

This security release is a follow-up to the one released as BACKDROP-SA-CORE-2018-002 on March 28.

While Backdrop 1.8.x is no longer supported and we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we are providing a release for 1.8.x that includes the fix for sites which have not yet had a chance to update to 1.9.x. The Backdrop Security Team strongly recommends the following:

• Sites on 1.9.x can immediately update when the advisory is released using the normal procedure.
• Sites on 1.8.x should immediately update to the 1.8.x release that will be provided in the advisory, and then plan to update to the latest 1.9.x security release in the next month (since 1.8.x no longer receives official security coverage).

The security advisory will list the appropriate version numbers for both Backdrop branches. Your site's update report page will recommend the 1.9.x release even if you are on 1.8.x, but temporarily updating to the provided backport for your site's current version will ensure you can update quickly without the possible side effects of a minor version update.

Patches for 1.9.x, and 1.8.x will be provided in addition to the full releases mentioned above. (If your site is on a Backdrop release older than 1.8.0, it no longer receives security coverage and will not receive a security update. Upgrading is strongly recommended as older Backdrop versions may contain other disclosed security vulnerabilities.)

This release will not require a database update.

The Security Team or any other party is not able to release any more information about this vulnerability until the announcement is made. The announcement will be made public at https://www.backdropcms.org/security, over Twitter, and in email for those who have subscribed to the security email list.

To subscribe to the security email list:

• Log in to backdropcms.org
• Edit your profile
• Scroll down to the "Email notifications" section
• Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"

There will be a security release of Backdrop CMS 1.9.x, 1.8.x, and 1.7.x on March 28th 2018 between 18:00 - 19:30 UTC, that will fix a highly critical security vulnerability. For all security updates, the Security Team urges you to reserve time for core updates at that time because exploits might be developed within days or even hours. Security release announcements will appear here, on the Backdrop security page.

While Backdrop 1.8.x and 1.7.x are no longer supported and we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we are providing 1.8.x and 1.7.x releases that include the fix for sites which have not yet had a chance to update to 1.9.x. The Backdrop security team strongly recommends the following:

• Sites on 1.9.x can immediately update when the advisory is released using the normal procedure.
• Sites on 1.8.x should immediately update to the 1.8.x release that will be provided in the advisory, and then plan to update to the latest 1.9.x security release in the next month (since 1.8.x no longer receives official security coverage).
• Sites on 1.7.x should immediately update to the 1.7.x release that will be provided in the advisory, and then plan to update to the latest 1.9.x security release in the next month (since 1.7.x no longer receives official security coverage).

The security advisory will list the appropriate version numbers for all three Backdrop branches. Your site's update report page will recommend the 1.9.x release even if you are on 1.8.x or 1.7.x, but temporarily updating to the provided backport for your site's current version will ensure you can update quickly without the possible side effects of a minor version update.

This update will not require a database update.

The Security Team or any other party is not able to release any more information about this vulnerability until the announcement is made. The announcement will be made public at https://www.backdropcms.org/security, over Twitter, and in email for those who have subscribed to the security email list.

To subscribe to the security email list:

• Log in to backdropcms.org
• Edit your profile
• Scroll down to the "Email notifications" section
• Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"