CVE-2021-45268

Name of the Vulnerable Software and Affected Versions Backdrop CMS version 1.20

Description A Cross Site Request Forgery (CSRF) issue exists, allowing remote attackers to gain Remote Code Execution (RCE) on the hosting web server via uploading a malicious add-on with a crafted PHP file. The attack requires a session cookie of a high-privileged authenticated user who is entitled to install arbitrary add-ons.

Recommendations For Backdrop CMS version 1.20, as a temporary workaround, consider restricting access to the add-on installation feature to minimize the risk of exploitation. Avoid using the add-on installation feature until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.