Backdrop Backdropcms Backdrop

Do you want an email whenever new security vulnerabilities are reported in Backdropcms Backdrop?

By the Year

In 2023 there have been 0 vulnerabilities in Backdropcms Backdrop . Last year Backdrop had 4 security vulnerabilities published. Right now, Backdrop is on track to have less security vulnerabilities in 2023 than it did last year.

Year Vulnerabilities Average Score
2023 0 0.00
2022 4 5.95
2021 0 0.00
2020 0 0.00
2019 2 6.10
2018 0 0.00

It may take a day or so for new Backdrop vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Backdropcms Backdrop Security Vulnerabilities

Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via 'Comment

CVE-2022-42097 4.8 - Medium - November 22, 2022

Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via 'Comment.' .

XSS

Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability

CVE-2022-42094 4.8 - Medium - November 22, 2022

Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the 'Card' content.

XSS

A stored cross-site scripting (XSS) vulnerability in the Add Link function of BackdropCMS v1.21.1

CVE-2022-24590 5.4 - Medium - February 15, 2022

A stored cross-site scripting (XSS) vulnerability in the Add Link function of BackdropCMS v1.21.1 allows attackers to execute arbitrary web scripts or HTML.

XSS

** DISPUTED ** A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, which

CVE-2021-45268 8.8 - High - February 03, 2022

** DISPUTED ** A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, which allows Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file. NOTE: the vendor disputes this because the attack requires a session cookie of a high-privileged authenticated user who is entitled to install arbitrary add-ons.

Session Riding

Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 doesn't sufficiently filter output when displaying certain block labels created by administrators

CVE-2019-14769 6.1 - Medium - August 08, 2019

Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 doesn't sufficiently filter output when displaying certain block labels created by administrators. An attacker could potentially craft a specialized label, then have an administrator execute scripting when administering a layout. (This issue is mitigated by the attacker needing permission to create custom blocks on the site, which is typically an administrative permission.)

XSS

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {},

CVE-2019-11358 6.1 - Medium - April 20, 2019

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

Prototype Pollution

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Oracle Communications Services Gatekeeper or by Backdropcms? Click the Watch button to subscribe.

Backdropcms
Vendor

subscribe