CVE-2025-27824

Severity CVSS v4.0:

Pending analysis

Type:

CWE-79 Cross-Site Scripting (XSS)

Publication date:

07/03/2025

Last modified:

07/03/2025

Description

An XSS issue was discovered in the Link iframe formatter module before 1.x-1.1.1 for Backdrop CMS. It doesn&#39;t sufficiently sanitize input before displaying results to the screen. This vulnerability is mitigated by the fact that an attacker must have the ability to create content containing an iFrame field.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS v3.1 Severity and Metrics:

Base Score: 6.40 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None

Base Score 3.x

6.40

Severity 3.x

MEDIUM

References to Advisories, Solutions, and Tools

https://backdropcms.org/security/backdrop-sa-contrib-2025-003