CVE-2025-60450 is a stored Cross-Site Scripting (XSS) vulnerability identified in MetInfo CMS version 8.0. The root cause of this vulnerability lies in the insufficient validation and sanitization of SVG file uploads handled by the component located at app\system\include\module\editor\Uploader.class.php. Specifically, attackers can upload malicious SVG files that embed JavaScript code. When these SVG files are viewed or accessed within the CMS environment, the embedded JavaScript executes in the context of the victim's browser. This stored XSS vulnerability allows an attacker to persist malicious scripts on the server, which can then be triggered by any user who accesses the compromised SVG file. The CVSS 3.1 base score is 6.1, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) shows that the attack can be performed remotely over the network without privileges, requires low attack complexity, no privileges, but does require user interaction (such as viewing the SVG). The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable component. The impact affects confidentiality and integrity to a low degree but does not affect availability. This vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation), which is typical for XSS issues. No known exploits are reported in the wild yet, and no patches have been linked at the time of publication. The vulnerability is significant because SVG files are commonly used for vector graphics on websites, and many CMS platforms allow SVG uploads for flexibility in content management. Attackers exploiting this flaw could execute arbitrary scripts in the context of users' browsers, potentially leading to session hijacking, defacement, or redirection to malicious sites. Since the vulnerability requires user interaction (viewing the SVG), social engineering or phishing tactics may be used to lure victims into triggering the payload. The vulnerability affects MetInfo CMS, a content management system that is less globally widespread than some others but is used in various regions for website management, including some European organizations. The lack of a patch at the time of disclosure necessitates immediate mitigation steps to reduce risk.

For European organizations using MetInfo CMS version 8.0, this vulnerability poses a tangible risk to web application security. Exploitation could lead to unauthorized script execution in users' browsers, compromising user sessions, stealing sensitive data such as authentication tokens, or performing actions on behalf of users. This can damage organizational reputation, lead to data breaches, and disrupt business operations. Since the vulnerability affects confidentiality and integrity but not availability, the primary concern is data theft and manipulation rather than service downtime. European organizations with public-facing websites or intranet portals using MetInfo CMS are particularly at risk, especially if SVG uploads are enabled and user input is not otherwise restricted. The requirement for user interaction means phishing or social engineering could be used to increase exploitation success. Additionally, the scope change in the CVSS vector suggests that the vulnerability could impact multiple components or users beyond the initial upload point, potentially increasing the attack surface. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate it, as attackers may develop exploits rapidly after disclosure. Given the GDPR and other European data protection regulations, any compromise of user data or session information could lead to regulatory penalties and loss of customer trust.

1. Immediate disabling of SVG file uploads in MetInfo CMS until a patch is available to prevent attackers from uploading malicious SVG files. 2. Implement strict server-side validation and sanitization of SVG files, including removal or neutralization of any embedded scripts or event handlers within SVG content. 3. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit the sources from which scripts can be loaded, reducing the impact of any injected scripts. 4. Educate users and administrators about the risks of clicking on or viewing untrusted SVG files, especially those uploaded by unknown or untrusted users. 5. Monitor web server logs and CMS upload activity for suspicious SVG uploads or unusual access patterns to detect potential exploitation attempts early. 6. Apply principle of least privilege to CMS user roles to limit who can upload files, reducing the chance of malicious uploads. 7. Once available, promptly apply official patches or updates from MetInfo CMS addressing this vulnerability. 8. Consider implementing additional web application firewall (WAF) rules to detect and block malicious SVG payloads or suspicious script activity related to SVG files. 9. Regularly review and update security policies related to file uploads and content sanitization within the CMS environment.