CVE-2025-25062

CVSS 3.1 Score 4.4 of 10 (medium)

Details

Published Feb 3, 2025

CWE ID 79

Summary

CVE-2025-25062 is a Cross-Site Scripting (XSS) vulnerability affecting Backdrop CMS versions 1.28.x before 1.28.5 and 1.29.x before 1.29.3. The issue lies in the inadequate isolation of long text content when using the CKEditor 5 rich text editor. Malicious HTML and JavaScript can be crafted and executed when an administrator edits content containing these malicious elements. This vulnerability is limited to those with the ability to create and edit long text content, such as through node or comment forms. It's important to note that this issue only occurs when using the CKEditor 5 module.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Affected Vendors

Pluck -

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/3BGXmX
https://www.cve.org/CVERecord?id=CVE-2025-25062
https://nvd.nist.gov/vuln/detail/CVE-2025-25062

Back to Vulnerability Database