Backdrop CMS SVG Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Backdrop CMS versions 1.28.x prior to 1.28.5 and 1.29.x prior to 1.29.3. The issue arises because the platform does not adequately validate uploaded SVG images, allowing potentially dangerous SVG tags to be embedded. SVG files can include clickable links and executable scripts. When a crafted SVG is uploaded and viewed directly via its URL, it can execute scripts in the browser. Although Backdrop embeds uploaded SVGs within image tags, which normally prevents script execution, this vulnerability could still be exploited by users who can upload SVG files.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject and execute malicious scripts in the context of the user's browser.

Remediation

Users are advised to upgrade to Backdrop CMS version 1.29.3 or 1.28.5. The latest version can be downloaded from the Backdrop CMS release page on GitHub. For update instructions, refer to the Backdrop documentation.