Description

An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It does not sufficiently validate uploaded SVG images to ensure they do not contain potentially dangerous SVG tags. SVG images can contain clickable links and executable scripting, and using a crafted SVG, it is possible to execute scripting in the browser when an SVG image is viewed. This issue is mitigated by the attacker needing to be able to upload SVG images, and that Backdrop embeds all uploaded SVG images within <img> tags, which prevents scripting from executing. The SVG must be viewed directly by its URL in order to run any embedded scripting.

INFO

Published Date :

2025-02-03T00:00:00.000Z

Last Modified :

2025-02-12T20:41:38.109Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-25063 vulnerability.

Vendors Products
Backdropcms
  • Backdrop
  • Backdrop Cms
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-25063.

URL Resource
https://backdropcms.org/security/backdrop-sa-core-2025-002 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact