CVE-2025-27824: XSS
First published: Fri Mar 07 2025(Updated: )
An XSS issue was discovered in the Link iframe formatter module before 1.x-1.1.1 for Backdrop CMS. It doesn't sufficiently sanitize input before displaying results to the screen. This vulnerability is mitigated by the fact that an attacker must have the ability to create content containing an iFrame field.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Backdrop | <1.x-1.1.1 | |
| Backdrop Link iframe formatter | <1.x-1.1.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2025-27824?
CVE-2025-27824 is classified as a moderate severity vulnerability affecting Backdrop CMS.
How do I fix CVE-2025-27824?
To fix CVE-2025-27824, update the Link iframe formatter module to version 1.x-1.1.1 or later.
What type of vulnerability is CVE-2025-27824?
CVE-2025-27824 is an XSS (Cross-Site Scripting) vulnerability that allows untrusted input to be displayed without proper sanitization.
Who is affected by CVE-2025-27824?
CVE-2025-27824 affects users of Backdrop CMS with versions prior to 1.x-1.1.1 that have the Link iframe formatter module installed.
Can an attacker exploit CVE-2025-27824 easily?
An attacker must have permission to create content containing an iframe, making exploitation dependent on user permissions.
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/references
- agent/type
- agent/description
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/author
- agent/severity
- agent/event
- collector/epss-latest
- source/FIRST
- agent/source
- agent/tags
- agent/epss
- vendor/backdrop
- canonical/backdrop
- canonical/backdrop link iframe formatter