Security Advisories

The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are

[...] security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others. Security advisories for both of these issues have been published on GitHub.

Those advisories are:

• CVE-2020-11022
• CVE-2020-11023

These vulnerabilities may be exploitable on some Backdrop sites. This security release backports the fixes to the relevant jQuery functions without making any other changes to the jQuery version that is included in core, or running on the site via some other module such as jQuery Update. It is not necessary to update jquery_update on sites that have the module installed.

Backwards-compatibility code has also been added to minimize regressions to sites that might rely on jQuery's prior behavior. With jQuery 3.5, incorrect self-closing HTML tags in JavaScript for elements where end tags are normally required will encounter a change in what jQuery returns or inserts. To minimize that disruption, this security release retains jQuery's prior behavior for most safe tags. There may still be regressions for edge cases, including invalidly self-closed custom elements on Internet Explorer.

If you find a regression caused by the jQuery changes, please report it in Backdrop core's issue queue (or that of the relevant contrib project). However, if you believe you have found a security issue, please report it privately to the Backdrop Security Team.

Backdrop CMS has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL.

The vulnerability is caused by insufficient validation of the destination query parameter in the backdrop_goto() function.

Feeds JSONPath Parser has a dependency on the third party Library peekmo/jsonpath or Stefan Goessner's implementation of jsonpath, which when used with data that has not been sanatized allows arbitrary code to be run.

Vulnerabilities are possible if a user has permission to configure a feed, or the feed is configured such that a user with the access to the import form can alter a field mapping.

The latest version changes the dependency from the aforementioned libraries and changes it to flow/jsonpath, which does not require value sanitation for the same functionality.

The Backdrop project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Backdrop configurations.

Vulnerabilities are possible if Backdrop is configured to use the Rich-Text editor, CKEditor, for editing content. When multiple people can edit content, the vulnerability can be used to execute XSS attacks against other people, including site admins with more access.

The latest versions of Backdrop update CKEditor to 4.14 to mitigate the vulnerabilities.

The Backdrop CMS project uses the third-party library Archive_Tar, which has released a security update that impacts some Backdrop configurations.

Multiple vulnerabilities are possible if Backdrop is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads, and processes them.

The latest versions of Backdrop update Archive_Tar to 1.4.9 to mitigate these file processing vulnerabilities.

Backdrop CMS allows the upload of entire-site configuration archives through the user interface or command-line. Backdrop CMS does not sufficiently check uploaded archives for invalid data, allowing non-configuration scripts to potentially be uploaded to the server.

This issue is mitigated by the fact that the attacker would be required to have the "Synchronize, import, and export configuration" permission, a permission that only trusted administrators should be given. Other measures in Backdrop CMS prevent the execution of PHP scripts, so another server-side scripting language must be accessible on the server to execute code.

Backdrop CMS doesn't sufficiently filter output when displaying file type descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute scripting when viewing the list of file types.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer file types".

Backdrop CMS doesn't sufficiently filter output when displaying content type names in the content creation interface. An attacker could potentially craft a specialized content type name, then have an editor execute scripting when creating content.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer content types".

Backdrop CMS doesn't sufficiently filter output when displaying certain block descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute scripting when configuring a layout.

This issue is mitigated by the fact that the attacker would be required to have the permission to create custom blocks, which is typically an administrative task.

The module doesn't sufficiently protect against an attacker changing the submission identifier of a draft webform, thereby overwriting another user's submission. Confidential information is not disclosed, but information can be overwritten, and therefore lost or forged.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to submit a webform, and the webform must have the advanced form setting of either Show "Save draft" button and/or Automatically save as draft between pages and when there are validation errors (neither of these two options are enabled by default). Anonymous users cannot submit drafts, and therefore cannot exploit this vulnerability.