CVE-2019-14771

Name of the Vulnerable Software and Affected Versions Backdrop CMS versions 1.12.x through 1.12.7 Backdrop CMS versions 1.13.x through 1.13.2

Description The issue allows the upload of entire-site configuration archives through the user interface or command line, without sufficiently checking uploaded archives for invalid data. This could potentially allow non-configuration scripts to be uploaded to the server. The attack is mitigated by the requirement for the "Synchronize, import, and export configuration" permission, which should only be given to trusted administrators. Additionally, other preventative measures in Backdrop CMS prevent the execution of PHP scripts, so another server-side scripting language must be accessible on the server to execute code.

Recommendations For Backdrop CMS versions 1.12.x through 1.12.7, update to version 1.12.8 or later. For Backdrop CMS versions 1.13.x through 1.13.2, update to version 1.13.3 or later. As a temporary workaround, consider restricting the "Synchronize, import, and export configuration" permission to minimize the risk of exploitation.