CVE-2025-25063

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-25063

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25063.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-25063

Published

2025-02-03T04:15:09.760Z

Modified

2026-04-10T05:23:11.617688Z

Severity

4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It does not sufficiently validate uploaded SVG images to ensure they do not contain potentially dangerous SVG tags. SVG images can contain clickable links and executable scripting, and using a crafted SVG, it is possible to execute scripting in the browser when an SVG image is viewed. This issue is mitigated by the attacker needing to be able to upload SVG images, and that Backdrop embeds all uploaded SVG images within <img> tags, which prevents scripting from executing. The SVG must be viewed directly by its URL in order to run any embedded scripting.

References

https://backdropcms.org/security/backdrop-sa-core-2025-002

Affected packages

Git / github.com/backdrop/backdrop

Affected ranges

Type

GIT

Repo

https://github.com/backdrop/backdrop

Events

Introduced

cb77a9c8df5dd334ceedd22365bfc021975b9e69

Fixed

d8af51f9cd8b081dd27a59e2925246b6e8bfd6cf

Introduced

4b3e2d2f25c01f3187afc5e56fb6a44930a1bbac

Fixed

5b4c88bf2da3c07ab78aed273de943a455e4bdfa

Database specific

{
    "versions": [
        {
            "introduced": "1.28.0"
        },
        {
            "fixed": "1.28.5"
        },
        {
            "introduced": "1.29.0"
        },
        {
            "fixed": "1.29.3"
        }
    ]
}

Affected versions

1.*

1.28.0

1.28.1

1.28.2

1.28.3

1.28.4

1.29.0

1.29.1

1.29.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25063.json"