{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T11:41:45.083","vulnerabilities":[{"cve":{"id":"CVE-2025-25063","sourceIdentifier":"cve@mitre.org","published":"2025-02-03T04:15:09.760","lastModified":"2026-01-23T18:54:39.280","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It does not sufficiently validate uploaded SVG images to ensure they do not contain potentially dangerous SVG tags. SVG images can contain clickable links and executable scripting, and using a crafted SVG, it is possible to execute scripting in the browser when an SVG image is viewed. This issue is mitigated by the attacker needing to be able to upload SVG images, and that Backdrop embeds all uploaded SVG images within <img> tags, which prevents scripting from executing. The SVG must be viewed directly by its URL in order to run any embedded scripting."},{"lang":"es","value":"Se descubrió un problema de XSS en Background CMS 1.28.x anterior a 1.28.5 y 1.29.x anterior a 1.29.3. No valida lo suficiente las imágenes SVG cargadas para garantizar que no contengan etiquetas SVG potencialmente peligrosas. Las imágenes SVG pueden contener enlaces en los que se puede hacer clic y secuencias de comandos ejecutables, y al usar un SVG manipulado, es posible ejecutar secuencias de comandos en el navegador cuando se visualiza una imagen SVG. Este problema se mitiga porque el atacante necesita poder cargar imágenes SVG y porque Background incrusta todas las imágenes SVG cargadas dentro de las etiquetas <img>, lo que evita que se ejecuten secuencias de comandos. El SVG debe visualizarse directamente por su URL para poder ejecutar cualquier secuencia de comandos incrustada."}],"metrics":{"cvssMetricV31":[{"source":"cve@mitre.org","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":4.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.3,"impactScore":2.7}]},"weaknesses":[{"source":"cve@mitre.org","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:backdropcms:backdrop_cms:*:*:*:*:*:*:*:*","versionStartIncluding":"1.28.0","versionEndExcluding":"1.28.5","matchCriteriaId":"39EE496A-3364-4130-9E8F-D775C0F5E905"},{"vulnerable":true,"criteria":"cpe:2.3:a:backdropcms:backdrop_cms:*:*:*:*:*:*:*:*","versionStartIncluding":"1.29.0","versionEndExcluding":"1.29.3","matchCriteriaId":"BB62109D-7E44-4BDF-8508-FA491815FB75"}]}]}],"references":[{"url":"https://backdropcms.org/security/backdrop-sa-core-2025-002","source":"cve@mitre.org","tags":["Vendor Advisory"]}]}}]}