CVE-2025-25062
Published: 03 February 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-25062 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Backdrop CMS versions 1.28.x prior to 1.28.5 and 1.29.x prior to 1.29.3. The issue arises in the CKEditor 5 rich text editor module, where long text content is not sufficiently isolated, allowing attackers to inject specialized HTML and JavaScript. It has a CVSS v3.1 base score of 4.4 (AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N), indicating medium severity with network accessibility but high attack complexity, low privileges required, user interaction needed, and changed scope for limited confidentiality and integrity impacts.
An authenticated attacker with low privileges, such as the ability to create long text content via node or comment forms, can exploit this by embedding malicious payloads. The payload executes only when an administrator edits—rather than merely views—the affected content, potentially leading to theft of admin session data or manipulation of the admin's browser context. Exploitation requires the CKEditor 5 module to be enabled and relies on the admin's interaction.
The official Backdrop CMS security advisory (backdrop-sa-core-2025-001) recommends upgrading to Backdrop CMS 1.28.5 or 1.29.3 to mitigate the vulnerability. Additional details on the issue, including proof-of-concept exploitation, are available in third-party analyses such as those on Medium and GetAstra.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS in web app enables exploitation of public-facing application (T1190) to inject JS that runs in admin browser, directly facilitating browser session hijacking (T1185) and theft of web session cookies (T1539) as described.