Backdrop

Entity Browser Block - Moderately critical - Access bypass - SA-CONTRIB-2022-044

Entity Browser Block - Moderately critical - Access bypass - SA-CONTRIB-2022-044

Project: Entity Browser Block
Date: 2022-May-25
Security risk: Moderately critical 13∕25
Vulnerability: Access bypass

Description

Entity Browser Block provides a Block Plugin for every Entity Browser on your site.

The module didn't sufficiently check entity view access in the block form.

This vulnerability is mitigated by the fact that an attacker must be able to place a block - either through the core "Block Layout" page or via a module like Layout Builder.

Read More

Backdrop core - Moderately critical - Cross Site Scripting

Backdrop core - Moderately critical - Cross Site Scripting

Date: Wednesday, May 26th, 2021
Security risk: Moderately Critical
Advisory ID: BACKDROP-SA-CORE-2021-003
Vulnerability: Cross Site Scripting

Versions affected

  • Backdrop Core 1.19.x versions prior to 1.19.1
  • Backdrop Core 1.18.x versions prior to 1.18.5

Backdrop versions 1.17 and prior do not receive security coverage.

Description

Backdrop core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to an XSS attack.

Read More

Backdrop core - Critical - Cross-site scripting - SA-CORE-2021-002

Backdrop core - Critical - Cross-site scripting - SA-CORE-2021-002

Date: Wednesday, Apr 21th, 2021
Security risk: Critical
Advisory ID: BACKDROP-SA-CORE-2021-002
Vulnerability: Cross Site Scripting

Versions affected

  1. Backdrop Core 1.18.x versions prior to 1.18.3,
  2. Backdrop Core 1.17.x versions prior to 1.17.7
  3. Backdrop versions 1.16 and prior do not receive security coverage.

Description

Backdrop core's sanitization API fails to properly filter cross-site scripting under certain circumstances.

Read More

AltaGrade donates the domain name "backdrop.org" to the Backdrop community

AltaGrade donates the domain name "backdrop.org" to the Backdrop community

I remember poking into Backdrop's code for the first time back in October 2014, when we tried to set it up on Drupion (the older incarnation of our company). According to a popular Russian proverb, "the first pancake is always wonky," so we ran into our first Backdrop problem right then. However, with the valuable input from the Backdrop community members we quickly made necessary changes and got it up and running.

Read More

Backdrop core - Critical - Third-party libraries - BACKDROP-SA-CORE-2021-001

Backdrop core - Critical - Third-party libraries - BACKDROP-SA-CORE-2021-001

Date: Wednesday, Jan 27th, 2021
Security risk: Critical
Advisory ID: BACKDROP-SA-CORE-2021-001
CVE ID: CVE-2020-36193
Vulnerability: Third Party Libraries
Versions affected: Backdrop Core 1.18.x versions prior to 1.18.1, Backdrop Core 1.17.x versions prior to 1.17.6
Backdrop versions 1.16 and prior do not receive security coverage.

Description

The Backdrop project uses the pear Archive_Tar library, which has released a security update that impacts Backdrop. For more information please see:

Read More

Paragraphs jQuery UI Accordion has been ported to Backdrop

Paragraphs jQuery UI Accordion has been ported to Backdrop

Description

This is to announce the initial release of Paragraphs jQuery UI Accordion module for Backdrop. Initially created for Drupal by Maksym Shakhrai, the module is now ported to Backdrop by AltaGrade team.

Paragraphs jQuery UI Accordion is a module to create paragraphs with accordion effect in your Backdrop website's content. It based on jQuery UI Accordion plugin which already included in core, so no need to install additional libraries.

Read More

Drupal 7's FAQ Field has been ported to Backdrop

Drupal 7's FAQ Field has been ported to Backdrop

Description

We are happy to announce the initial release of FAQ field module for Backdrop. Initially created for Drupal 7 by Patrick Drotleff and now ported to Backdrop by AltaGrade team, FAQ Field module provides a field for frequently asked questions.

Adding to any content type or user entity, you can create simple but smooth frequently asked questions on any piece of content on your Backdrop website.

Read More

Backdrop core - Critical - Arbitrary PHP code execution - BACKDROP-SA-CORE-2020-008

Backdrop core - Critical - Arbitrary PHP code execution - BACKDROP-SA-CORE-2020-008

Date: Wednesday, Nov 25th, 2020
Security risk: Critical
Advisory ID: BACKDROP-SA-CORE-2020-008
CVE ID: CVE-2020-28948, CVE-2020-28949
Vulnerability: Arbitrary PHP code execution

Versions affected

  • Backdrop Core 1.17.x versions prior to 1.17.4
  • Backdrop Core 1.16.x versions prior to 1.16.6

Backdrop versions 1.15 and prior do not receive security coverage.

Read More

Pages