#VU30511 Information disclosure in Backdrop CMS - CVE-2019-19902

Cybersecurity Help s.r.o.

Published: 2019-12-19 | Updated: 2020-07-17

Vulnerability identifier: #VU30511

Vulnerability risk: Medium

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-19902

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Backdrop CMS
Web applications / CMS

Vendor: Backdrop CMS

Description

The vulnerability allows a remote privileged user to execute arbitrary code.

An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It allows the upload of entire-site configuration archives through the user interface or command line. It does not sufficiently check uploaded archives for invalid data, allowing non-configuration scripts to potentially be uploaded to the server. This issue is mitigated by the fact that the attacker would be required to have the "Synchronize, import, and export configuration" permission, a permission that only trusted administrators should be given. Other measures in the product prevent the execution of PHP scripts, so another server-side scripting language must be accessible on the server to execute code.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Backdrop CMS: 1.14.0 - 1.14.1

External links
https://backdropcms.org/security/backdrop-sa-core-2019-016

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Backdrop CMS