CVE-2025-25063 MEDIUM

CVE-2025-25063

Vendor Backdropcms
Product backdrop
Weakness CWE-79 · XSS
Published February 3, 2025
Last update February 12, 2025
View on NVD All CVEs

CVSS base score

4.4/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It does not sufficiently validate uploaded SVG images to ensure they do not contain potentially dangerous SVG tags. SVG images can contain clickable links and executable scripting, and using a crafted SVG, it is possible to execute scripting in the browser when an SVG image is viewed. This issue is mitigated by the attacker needing to be able to upload SVG images, and that Backdrop embeds all uploaded SVG images within <img> tags, which prevents scripting from executing. The SVG must be viewed directly by its URL in order to run any embedded scripting.

Key dates

02Disclosure timeline

February 3, 2025 CVE published
February 12, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-4430 Beaver Builder <= 2.8.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via photo widget crop attribute CVE-2022-36020 Bypass of Cross-Site Scripting Protection in typo3/html-sanitizer CVE-2026-3604 WP SEO Structured Data Schema <= 2.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via '_kcseo_ative_tab' Parameter CVE-2026-27242 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2026-44669 Faction: Stored XSS in Assessment Attachment Filename Preview Rendering