Backdrop CMS turned 6 years on January 15, 2021 and on the same day the Backdrop community has proudly released version 1.18.0. Congratulations to all users and developers of Backdrop CMS - the open source CMS that helps you build websites for businesses and non-profits in the best traditions of Drupal 7!
We are happy to announce the initial release of FAQ field module for Backdrop. Initially created for Drupal 7 by Patrick Drotleff and now ported to Backdrop by AltaGrade team, FAQ Field module provides a field for frequently asked questions.
Adding to any content type or user entity, you can create simple but smooth frequently asked questions on any piece of content on your Backdrop website.
WordPress 5.6 “Simone,” named in honor of American performer and civil rights activist Nina Simone, has been released today. The release was led by an all-women release squad, a first in WordPress history. The new version includes many enhancements for the block editor, accessibility improvements, application password support for the REST API, and a new default theme.
Date: Wednesday, Nov 25th, 2020
Security risk: Critical
Advisory ID: BACKDROP-SA-CORE-2020-008
CVE ID: CVE-2020-28948, CVE-2020-28949
Vulnerability: Arbitrary PHP code executionBackdrop versions 1.15 and prior do not receive security coverage.
Project: Drupal core
Date: 2020-November-25
Security risk: Critical 18∕25
Vulnerability: Arbitrary PHP code execution
CVE IDs: CVE-2020-28949,CVE-2020-28948The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see:
Date: Wednesday, Nov 18th, 2020
Security risk: Critical
Advisory ID: BACKDROP-SA-CORE-2020-007
CVE ID: CVE-2020-13671
Vulnerability: Remote Code ExecutionBackdrop versions 1.15 and prior do not receive security coverage.
Project: Media: oEmbed
Date: 2020-November-18
Security risk: Critical 17∕25
Vulnerability: Remote Code ExecutionMedia oEmbed does not properly sanitize certain filenames as described in SA-CORE-2020-012.
Install the latest version:
Upgrade to Media oEmbed 7.x-2.8
Project: Drupal OAuth Server ( OAuth Provider) - Single Sign On ( SSO )
Date: 2020-October-14
Vulnerability: SQL Injection
This module enables you login into any OAuth 2.0 compliant application using Drupal credentials.
The 8.x branch of the module is vulnerable to SQL injection.
Install the latest version:
If you use the Drupal OAuth Server module for Drupal 8.x, upgrade to 8.x-1.1
Project: Drupal core
Date: 2020-September-16
Security risk: Moderately critical 14∕25
Vulnerability: Cross-site scripting
CVE IDs: CVE-2020-13666The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.
Install the latest version: