CVE-2025-25062

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-25062

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25062.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-25062

Published

2025-02-03T04:15:09.587Z

Modified

2026-04-10T05:23:11.293090Z

Severity

4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It doesn't sufficiently isolate long text content when the CKEditor 5 rich text editor is used. This allows a potential attacker to craft specialized HTML and JavaScript that may be executed when an administrator attempts to edit a piece of content. This vulnerability is mitigated by the fact that an attacker must have the ability to create long text content (such as through the node or comment forms) and an administrator must edit (not view) the content that contains the malicious content. This problem only exists when using the CKEditor 5 module.

References

Affected packages

Git / github.com/backdrop/backdrop

Affected ranges

Type

GIT

Repo

https://github.com/backdrop/backdrop

Events

Introduced

cb77a9c8df5dd334ceedd22365bfc021975b9e69

Fixed

d8af51f9cd8b081dd27a59e2925246b6e8bfd6cf

Introduced

4b3e2d2f25c01f3187afc5e56fb6a44930a1bbac

Fixed

5b4c88bf2da3c07ab78aed273de943a455e4bdfa

Database specific

{
    "versions": [
        {
            "introduced": "1.28.0"
        },
        {
            "fixed": "1.28.5"
        },
        {
            "introduced": "1.29.0"
        },
        {
            "fixed": "1.29.3"
        }
    ]
}

Affected versions

1.*

1.28.0

1.28.1

1.28.2

1.28.3

1.28.4

1.29.0

1.29.1

1.29.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25062.json"