漏洞平台

POC详情： 05f633cc141c26c3e30b46d27d88f86bb8718547

来源

https://github.com/rhburt/CVE-2025-25062

关联漏洞

标题： N/A (CVE-2025-25062)
描述：在Backdrop CMS 1.28.x 低于1.28.5及1.29.x 低于1.29.3版本中发现了一个XSS问题。当使用CKEditor 5富文本编辑器时，它未能充分隔离长文本内容。这使得潜在攻击者能够构造专门的HTML和JavaScript，当管理员试图编辑一段内容时，这些代码可能会被执行。此漏洞的影响程度有所缓解，因为攻击者必须具备创建长文本内容的能力（如通过节点或评论表单），并且管理员必须编辑（而不是查看）包含恶意内容的内容。此问题仅在使用CKEditor 5模块时存在。

描述

Backdrop CMS 1.29.2 - Privilege Escalation via Stored XSS + CSRF

介绍

# CVE-2025-25062

- [Description](#description)
- [Usage](#usage)
- [Example](#example)
- [Timeline](#timeline)

## Description
A Stored Cross-Site-Scripting (XSS) vulnerability exists in the [Backdrop CMS 1.29.2](https://github.com/backdrop/backdrop/releases/tag/1.29.2) post edit page. This script chains the vulnerability with a CSRF payload to achieve privilege escalation from the role of 'Editor' to 'Administrator'.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25062

## Usage

```
usage: CVE-2025-25062.py [-h] [-u BACKDROP_URL] --editor-username EDITOR_USERNAME --editor-password EDITOR_PASSWORD [--post-title POST_TITLE]
                          [--post-html-body POST_HTML_BODY] [--proxy-host PROXY_HOST] [--proxy-port PROXY_PORT]

options:
  -h, --help            show this help message and exit
  -u BACKDROP_URL, --backdrop-url BACKDROP_URL
  --editor-username EDITOR_USERNAME
  --editor-password EDITOR_PASSWORD
  --post-title POST_TITLE
  --post-html-body POST_HTML_BODY
  --proxy-host PROXY_HOST
  --proxy-port PROXY_PORT
```

## Example

1. Observe the inital permissions of the `editor` and `admin` users.
   
![image](https://github.com/user-attachments/assets/034bd5a0-2470-41fa-bdde-29b1b72437cd)

2. Run the `CVE-2025-25062.py` script, providing the username and password for the user with permissions of `Editor`.

![image](https://github.com/user-attachments/assets/27eff287-1a22-4f1f-9b07-6ddbe5dffa11)

3. Log in as the `admin` user and browse to the link output by the script.

![image](https://github.com/user-attachments/assets/1180aeb4-5627-44f6-9ebf-09ddbe39a95e)

4. Observe the new `Administrator` permission on the `editor` user.

![image](https://github.com/user-attachments/assets/9cd52f60-9cff-4cf2-a705-a1e229bc121e)

## Timeline
- 2024-12-14: Discovered and reported to Backdrop Security Team.
- 2024-12-15: Acknowledged by Backdrop Security Team. Fix scheduled for early January.
- 2025-01-06: Patch validated.
- 2025-01-08: Security update 1.29.3 released.
- 2025-02-03: CVE-2025-25062 assigned.

文件快照


 [4.0K]  /data/pocs/05f633cc141c26c3e30b46d27d88f86bb8718547
├── [6.4K]  CVE-2025-25062.py
├── [1.0K]  LICENSE
├── [2.0K]  README.md
└── [  41]  requirements.txt

0 directories, 4 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。