SB2019080835 - Multiple vulnerabilities in Backdrop CMS

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2019-14769)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 doesn't sufficiently filter output when displaying certain block labels created by administrators. An attacker could potentially craft a specialized label, then have an administrator execute scripting when administering a layout. (This issue is mitigated by the attacker needing permission to create custom blocks on the site, which is typically an administrative permission.)

2) Input validation error (CVE-ID: CVE-2019-14771)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 allows the upload of entire-site configuration archives through the user interface or command line. It does not sufficiently check uploaded archives for invalid data, potentially allowing non-configuration scripts to be uploaded to the server. (This attack is mitigated by the attacker needing the "Synchronize, import, and export configuration" permission, a permission that only trusted administrators should be given. Other preventative measures in Backdrop CMS prevent the execution of PHP scripts, so another server-side scripting language must be accessible on the server to execute code.)

Remediation

Install update from vendor's website.

References

• https://backdropcms.org/security/backdrop-sa-core-2019-011
• https://backdropcms.org/security/backdrop-sa-core-2019-012