#VU105896 Improper access control in Backdrop CMS

Cybersecurity Help s.r.o.

Published: 2025-03-20

Vulnerability identifier: #VU105896

Vulnerability risk: High

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: N/A

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Backdrop CMS
Web applications / CMS

Vendor: Backdrop CMS

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to a bug in the core Actions system. A remote attacker can use bulk actions to modify some values that they would not have permission to modify when editing individual nodes.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Backdrop CMS: 1.29.0 - 1.29.4, 1.30.0 - 1.30.1

External links
https://backdropcms.org/security/backdrop-sa-core-2025-003

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper access control in Backdrop CMS