Overview :
Multiple issues was discovered in Backdrop CMS
Affected Product(s) :
  • Backdrop Core 1.14.x versions prior to 1.14.2
  • Backdrop Core 1.13.x versions prior to 1.13.5
Vulnerability Details :
CVE ID : CVE-2019-19900

Backdrop CMS doesn’t sufficiently filter output when displaying content type names in the content creation interface. An attacker could potentially craft a specialized content type name, then have an editor execute scripting when creating content.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “Administer content types”.

CVE ID : CVE-2019-19901

Backdrop CMS doesn’t sufficiently filter output when displaying certain block descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute scripting when configuring a layout.

This issue is mitigated by the fact that the attacker would be required to have the permission to create custom blocks, which is typically an administrative task.

CVE ID : CVE-2019-19902

Backdrop CMS allows the upload of entire-site configuration archives through the user interface or command-line. Backdrop CMS does not sufficiently check uploaded archives for invalid data, allowing non-configuration scripts to potentially be uploaded to the server.

This issue is mitigated by the fact that the attacker would be required to have the “Synchronize, import, and export configuration” permission, a permission that only trusted administrators should be given. Other measures in Backdrop CMS prevent the execution of PHP scripts, so another server-side scripting language must be accessible on the server to execute code.

CVE ID : CVE-2019-19903

Backdrop CMS doesn’t sufficiently filter output when displaying file type descriptions created by administrators. An attacker could potentially craft a specialized description, then have an administrator execute scripting when viewing the list of file types.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “Administer file types”.

Solution :

Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.14.2 release page. See the update instructions, if needed.