CVE-2019-19902

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-19902

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-19902.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-19902

Published

2019-12-19T06:15:11.117Z

Modified

2025-11-20T11:00:52.573487Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and 1.14.x before 1.14.2. It allows the upload of entire-site configuration archives through the user interface or command line. It does not sufficiently check uploaded archives for invalid data, allowing non-configuration scripts to potentially be uploaded to the server. This issue is mitigated by the fact that the attacker would be required to have the "Synchronize, import, and export configuration" permission, a permission that only trusted administrators should be given. Other measures in the product prevent the execution of PHP scripts, so another server-side scripting language must be accessible on the server to execute code.

References

https://backdropcms.org/security/backdrop-sa-core-2019-016

Affected packages

Git / github.com/backdrop/backdrop

Affected ranges

Type: GIT
Repo: https://github.com/backdrop/backdrop
Events: Introduced

9d7c5d90930b5b21f3183d035e1cfa9471b8827d

Fixed

1836c576fe938b5baec7827832a10a6088dbcd20

Affected versions

1.*

1.13.0

1.13.1

1.13.2

1.13.3

1.13.4