Backdrop core - Moderately critical - Third-party library - BACKDROP-SA-CORE-2020-001

Backdrop core - Moderately critical - Third-party library - BACKDROP-SA-CORE-2020-001

Security risk: Moderately Critical
Advisory ID: BACKDROP-SA-CORE-2020-001
Vulnerability: Third Party Libraries

Description

The Backdrop project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Backdrop configurations.

Vulnerabilities are possible if Backdrop is configured to use the Rich-Text editor, CKEditor, for editing content. When multiple people can edit content, the vulnerability can be used to execute XSS attacks against other people, including site admins with more access.

The latest versions of Backdrop update CKEditor to 4.14 to mitigate the vulnerabilities.

Solution

Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.x.x release page. See the update instructions, if needed.

The CKEditor module can also be disabled to mitigate the vulnerability until the site is updated.

Nick Onom's picture
Nick Onom
Marketing Project Manager
Enthusiastic about all kind of Open Source applications, AI, bitcoins, but mostly about Drupal. For last years has been actively developing AltaGrade's new back-end system.

We value your opinion. Please add your feedback.