How to fix CVE-2025-25063?

During next maintenance window: Identify affected systems running Backdrop CMS 1.28.x and apply vendor patches when convenient. Verify Content-Security-Policy and output encoding.

Is Backdrop Cms affected by CVE-2025-25063?

Organizations using Backdrop CMS 1.28.x should be aware of moderate risk from CVE-2025-25063, a cross-site scripting vulnerability rated CVSS 4.4. Attackers could inject scripts to steal sessions or perform actions as authenticated users.

Backdrop Cms CVE-2025-25063

MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2025-02-03 [email protected]

XSS Backdrop Cms

4.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:06 vuln.today

CVE Published

Feb 03, 2025 - 04:15 nvd

MEDIUM 4.4

DescriptionNVD

An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It does not sufficiently validate uploaded SVG images to ensure they do not contain potentially dangerous SVG tags. SVG images can contain clickable links and executable scripting, and using a crafted SVG, it is possible to execute scripting in the browser when an SVG image is viewed. This issue is mitigated by the attacker needing to be able to upload SVG images, and that Backdrop embeds all uploaded SVG images within <img> tags, which prevents scripting from executing. The SVG must be viewed directly by its URL in order to run any embedded scripting.

AnalysisAI

An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It does not sufficiently validate uploaded SVG images to ensure they do not contain potentially dangerous SVG tags. SVG images can contain clickable links and executable scripting, and using a crafted SVG, it is possible to execute scripting in the browser when an SVG image is viewed. This issue is mitigated by the attacker needing to be able to upload SVG images, and that Backdrop embeds all uploaded SVG images within <img> tags, which prevents scripting from executing. The SVG must be viewed directly by its URL in order to run any embedded scripting. Affected products include: Backdropcms Backdrop Cms. Version information: before 1.28.5.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2025-25063 vulnerability details – vuln.today

Back