Security Advisories

The GDPR cookies module contains a library with known vulnerabilities:

• https://security.snyk.io/vuln/SNYK-JS-TARTEAUCITRONJS-5772112
• https://security.snyk.io/vuln/SNYK-JS-TARTEAUCITRONJS-8366541

tarteaucitronjs is a package that provides compliance to the European cookie law.  Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to missing sanitization of the services attributes value, and improper user-input sanitization, via width, theme, controls, img and other attributes.

This module enables you to integrate the site with the Google Tag Manager (GTM) application.

The module doesn't have the "restrict access" flag on the "administer google_tag_container" permission. A user with this permission can load a GTM container that completely changes the page or inserts malicious JS, resulting in a cross site scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the aforementioned permission.

Backdrop CMS does not sufficiently validate uploaded SVG images to ensure they do not contain potentially dangerous SVG tags. SVG images can contain clickable links and executable scripting, and using a crafted SVG, it is possible to execute scripting in the browser when an SVG image is viewed.

This issue is mitigated by the attacker needing to be able to upload SVG images, and that Backdrop embeds all uploaded SVG images within <img> tags, which prevents scripting from executing. The SVG must be viewed directly by its URL in order to run any embedded scripting.

A CVE has been requested, and this page will be updated as soon as an official number has been issued.

Backdrop CMS doesn't sufficiently isolate long text content when the CKEditor 5 rich text editor is used. This allows a potential attacker to craft specialized HTML and JavaScript that may be executed when an administrator attempts to edit a piece of content.

This vulnerability is mitigated by the fact that an attacker must have the ability to create long text content (such as through the node or comment forms) and an administrator must edit (not view) the content that contains the malicious content. This problem only exists when using the CKEditor 5 module.

A CVE has been requested, and this page will be updated as soon as an official number has been issued.

Backdrop core contains a potential PHP Object Injection vulnerability that, if combined with another exploit, could lead to Remote Code Execution.

This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to unserialize(). There are no such known exploits in Backdrop core.

As part of the protection against this potential vulnerability, additional checks have been added to some of Backdrop core's database related code.

Backdrop CMS doesn't sufficiently sanitize SVG images when they are embedded into content.

This vulnerability is mitigated by the fact that the SVG tag must be in the list of allowed tags for a text format, and an attacker must have a role with sufficient permission to access the format, and upload images. 

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.

The module does not sufficiently migrate sessions before prompting for a second factor token.

This vulnerability is mitigated by the fact that an attacker must fixate a session on a victim system that is then authenticated with username and password without completing Two Factor authentication. An attacker must gather additional information regarding the entry form after authentication. An attacker must still present a valid token to complete authentication.

Backdrop CMS doesn't sufficiently sanitize field labels before they are displayed in certain places.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer fields".

Nivo Slider does not check permissions properly, allowing anonymous site visitors access to admin pages where they can change the module settings.

The reason is in the function nivo_slider_menu() where the property 'access callback' is set to TRUE (for 3 admin paths).

Some issues were discovered in phpseclib 3.x before 3.0.36, which is included as part of the Google API PHP Client Library bundled with the Google Auth module. They make it possible for a denial of service attack.