CVE-2025-25063Cross-site Scripting in Backdrop

CWE-79Cross-site Scripting3 documents3 sources
Severity
4.4MEDIUMNVD
EPSS
0.6%
top 30.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Backdropcms BackdropBackdropcms Backdrop CMS
Timeline
PublishedFeb 3

Description

An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It does not sufficiently validate uploaded SVG images to ensure they do not contain potentially dangerous SVG tags. SVG images can contain clickable links and executable scripting, and using a crafted SVG, it is possible to execute scripting in the browser when an SVG image is viewed. This issue is mitigated by the attacker needing to be able to upload SVG images, and that Backdrop embeds all uploaded SVG

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 1.3 | Impact: 2.7

Affected Packages2 packages

CVEListV5backdropcms/backdrop1.28.01.28.5+1
NVDbackdropcms/backdrop_cms1.28.01.28.5+1

🔴Vulnerability Details

2
GHSA
GHSA-cfr9-prm9-crgr: An XSS issue was discovered in Backdrop CMS 12025-02-03
CVEList
CVE-2025-25063: An XSS issue was discovered in Backdrop CMS 12025-02-03
CVE-2025-25063 — Cross-site Scripting in Backdrop | cvebase