CVE-2025-25063 (GCVE-0-2025-25063)
Vulnerability from cvelistv5
Published
2025-02-03 00:00
Modified
2025-02-12 20:41
Severity ?
4.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It does not sufficiently validate uploaded SVG images to ensure they do not contain potentially dangerous SVG tags. SVG images can contain clickable links and executable scripting, and using a crafted SVG, it is possible to execute scripting in the browser when an SVG image is viewed. This issue is mitigated by the attacker needing to be able to upload SVG images, and that Backdrop embeds all uploaded SVG images within <img> tags, which prevents scripting from executing. The SVG must be viewed directly by its URL in order to run any embedded scripting.
References
Impacted products
Vendor Product Version
backdropcms backdrop Version: 1.28.0   
Version: 1.29.0   
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-25063",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-03T13:22:09.847627Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T20:41:38.109Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "backdrop",
          "vendor": "backdropcms",
          "versions": [
            {
              "lessThan": "1.28.5",
              "status": "affected",
              "version": "1.28.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.29.3",
              "status": "affected",
              "version": "1.29.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.28.5",
                  "versionStartIncluding": "1.28.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:backdropcms:backdrop:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.29.3",
                  "versionStartIncluding": "1.29.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It does not sufficiently validate uploaded SVG images to ensure they do not contain potentially dangerous SVG tags. SVG images can contain clickable links and executable scripting, and using a crafted SVG, it is possible to execute scripting in the browser when an SVG image is viewed. This issue is mitigated by the attacker needing to be able to upload SVG images, and that Backdrop embeds all uploaded SVG images within \u0026lt;img\u0026gt; tags, which prevents scripting from executing. The SVG must be viewed directly by its URL in order to run any embedded scripting."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-03T04:02:49.648Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://backdropcms.org/security/backdrop-sa-core-2025-002"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-25063",
    "datePublished": "2025-02-03T00:00:00.000Z",
    "dateReserved": "2025-02-03T00:00:00.000Z",
    "dateUpdated": "2025-02-12T20:41:38.109Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-25063\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2025-02-03T04:15:09.760\",\"lastModified\":\"2025-02-03T04:15:09.760\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It does not sufficiently validate uploaded SVG images to ensure they do not contain potentially dangerous SVG tags. SVG images can contain clickable links and executable scripting, and using a crafted SVG, it is possible to execute scripting in the browser when an SVG image is viewed. This issue is mitigated by the attacker needing to be able to upload SVG images, and that Backdrop embeds all uploaded SVG images within \u0026lt;img\u0026gt; tags, which prevents scripting from executing. The SVG must be viewed directly by its URL in order to run any embedded scripting.\"},{\"lang\":\"es\",\"value\":\"Se descubri\u00f3 un problema de XSS en Background CMS 1.28.x anterior a 1.28.5 y 1.29.x anterior a 1.29.3. No valida lo suficiente las im\u00e1genes SVG cargadas para garantizar que no contengan etiquetas SVG potencialmente peligrosas. Las im\u00e1genes SVG pueden contener enlaces en los que se puede hacer clic y secuencias de comandos ejecutables, y al usar un SVG manipulado, es posible ejecutar secuencias de comandos en el navegador cuando se visualiza una imagen SVG. Este problema se mitiga porque el atacante necesita poder cargar im\u00e1genes SVG y porque Background incrusta todas las im\u00e1genes SVG cargadas dentro de las etiquetas \u0026lt;img\u0026gt;, lo que evita que se ejecuten secuencias de comandos. El SVG debe visualizarse directamente por su URL para poder ejecutar cualquier secuencia de comandos incrustada.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://backdropcms.org/security/backdrop-sa-core-2025-002\",\"source\":\"cve@mitre.org\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.