支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: 05f633cc141c26c3e30b46d27d88f86bb8718547

来源
https://github.com/rhburt/CVE-2025-25062
关联漏洞
标题:Backdrop CMS 安全漏洞 (CVE-2025-25062)
Description:Backdrop CMS是Backdrop CMS开源的一个内容管理系统(CMS)。 Backdrop CMS 1.28.5版本之前的1.28.x版本和1.29.3版本之前的1.29.x版本存在安全漏洞,该漏洞源于使用CKEditor 5时未能充分隔离长文本内容,容易受到跨站脚本攻击。
Description
Backdrop CMS 1.29.2 - Privilege Escalation via Stored XSS + CSRF
介绍
# CVE-2025-25062

- [Description](#description)
- [Usage](#usage)
- [Example](#example)
- [Timeline](#timeline)

## Description
A Stored Cross-Site-Scripting (XSS) vulnerability exists in the [Backdrop CMS 1.29.2](https://github.com/backdrop/backdrop/releases/tag/1.29.2) post edit page. This script chains the vulnerability with a CSRF payload to achieve privilege escalation from the role of 'Editor' to 'Administrator'.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25062

## Usage

```
usage: CVE-2025-25062.py [-h] [-u BACKDROP_URL] --editor-username EDITOR_USERNAME --editor-password EDITOR_PASSWORD [--post-title POST_TITLE]
                          [--post-html-body POST_HTML_BODY] [--proxy-host PROXY_HOST] [--proxy-port PROXY_PORT]

options:
  -h, --help            show this help message and exit
  -u BACKDROP_URL, --backdrop-url BACKDROP_URL
  --editor-username EDITOR_USERNAME
  --editor-password EDITOR_PASSWORD
  --post-title POST_TITLE
  --post-html-body POST_HTML_BODY
  --proxy-host PROXY_HOST
  --proxy-port PROXY_PORT
```

## Example

1. Observe the inital permissions of the `editor` and `admin` users.
   
![image](https://github.com/user-attachments/assets/034bd5a0-2470-41fa-bdde-29b1b72437cd)

2. Run the `CVE-2025-25062.py` script, providing the username and password for the user with permissions of `Editor`.

![image](https://github.com/user-attachments/assets/27eff287-1a22-4f1f-9b07-6ddbe5dffa11)

3. Log in as the `admin` user and browse to the link output by the script.

![image](https://github.com/user-attachments/assets/1180aeb4-5627-44f6-9ebf-09ddbe39a95e)

4. Observe the new `Administrator` permission on the `editor` user.

![image](https://github.com/user-attachments/assets/9cd52f60-9cff-4cf2-a705-a1e229bc121e)

## Timeline
- 2024-12-14: Discovered and reported to Backdrop Security Team.
- 2024-12-15: Acknowledged by Backdrop Security Team. Fix scheduled for early January.
- 2025-01-06: Patch validated.
- 2025-01-08: Security update 1.29.3 released.
- 2025-02-03: CVE-2025-25062 assigned.
文件快照

 [4.0K]  /data/pocs/05f633cc141c26c3e30b46d27d88f86bb8718547
├── [6.4K]  CVE-2025-25062.py
├── [1.0K]  LICENSE
├── [2.0K]  README.md
└── [  41]  requirements.txt

0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。