CVE-2025-27824
MEDIUMLink iframe formatter < 1.x-1.1.1 - Cross-Site Scripting in iFrame Field
Title source: llmDescription
An XSS issue was discovered in the Link iframe formatter module before 1.x-1.1.1 for Backdrop CMS. It doesn't sufficiently sanitize input before displaying results to the screen. This vulnerability is mitigated by the fact that an attacker must have the ability to create content containing an iFrame field.
References (1)
Core 1
Core References
Various Sources
https://backdropcms.org/security/backdrop-sa-contrib-2025-003
Scores
CVSS v3
6.4
EPSS
0.0021
EPSS Percentile
11.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
backdropcms/Link iframe formatter
< 1.x-1.1.1
Published
Mar 07, 2025
Tracked Since
Feb 18, 2026