Backdrop 1.15 has just been released
Following the 4-month release cycle, the Backdrop community has released the version 1.15 of Backdrop CMS.
The AltaGrade Blog
Radix - Moderately critical - Cross site scripting - SA-CONTRIB-2020-001
Project: Radix
Date: 2020-January-15
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scripting
Description
Radix is a base theme for Drupal, with Bootstrap 4, Sass, ES6 and BrowserSync built-in.
The module doesn't sufficiently filter menu titles when used in a dropdown in the main menu.
This vulnerability is mitigated by the fact that an attacker must have permission to edit a menu title used in the main menu.
Solution
Install the latest version:
Open Social - Critical - Insecure Session Management - SA-CONTRIB-2019-075
Project: Open Social
Date: 2019-November-06
Security risk: Critical 15∕25
Vulnerability: Insecure Session Management
Description
Open Social is a Drupal distribution for online communities. The included social_magic_login module doesn't sufficiently validate magic login URLs for user accounts that do not have a local password, but login via external systems. The lack of validation makes it possible for an adversary to forge valid login URLs and login to such an account.
External Links Filter - Moderately critical - Open Redirect Vulnerability - SA-CONTRIB-2019-063
Project: External Links Filter
Date: 2019-August-14
Security risk: Moderately critical 10∕25
Vulnerability: Open Redirect VulnerabilityDescription
The External Link Filter module provides an input filter that replaces external links by a local link that redirects to the target URL.
The module did not have protection for the Redirect URL to go where content authors intended.
Solution
Install the latest version:
Updated: Finalizing migration from Drupion to AltaGrade
Update of June 5, 2019: We have to re-send this newsletter once again, because when contacted about migration some customers reported they didn't receive previous notifications about Drupion-AltaGrade transformation.
Timetable for migration to AltaGrade
As you might know we first announced the launch of our new AltaGrade website and the new hosting platform back on November, 2018. Since then we've been accepting new orders on and migrating Drupion customers who wanted immediate upgrades to the new system.