CVE-2025-60451 is a stored Cross-Site Scripting (XSS) vulnerability identified in MetInfo CMS version 8.0. The vulnerability arises from inadequate validation and sanitization of SVG file uploads within the component app\system\include\module\uploadify.class.php, specifically in the website settings module. SVG files, being XML-based vector images, can embed JavaScript code. Due to the insufficient filtering of uploaded SVG content, attackers can craft malicious SVG files containing executable JavaScript. When these files are uploaded and subsequently viewed or accessed by users or administrators, the embedded script executes in the context of the victim's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information. The vulnerability is classified as stored XSS because the malicious payload is persistently stored on the server and served to users, increasing the attack's impact and reach. No CVSS score has been assigned yet, and there are no known exploits in the wild at the time of publication. The lack of patch links suggests that a fix may not yet be publicly available or widely distributed. The vulnerability affects MetInfo CMS version 8.0, a content management system used for website management, which implies that websites running this version are at risk if they allow SVG uploads in the affected module.

For European organizations using MetInfo CMS version 8.0, this vulnerability poses a significant risk to web application security. Stored XSS can compromise the confidentiality and integrity of user sessions, potentially allowing attackers to impersonate legitimate users, including administrators. This can lead to unauthorized access to sensitive data, manipulation of website content, or distribution of malware to site visitors. The attack can also damage organizational reputation and lead to regulatory non-compliance, especially under GDPR, if personal data is exposed or mishandled. Since the vulnerability exploits SVG uploads in the website settings module, it may be leveraged to target administrative users who manage the CMS, increasing the likelihood of privilege escalation or further exploitation. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability details become widely known. The impact is heightened in sectors with high web presence such as e-commerce, government portals, and media organizations within Europe.

European organizations should implement several targeted mitigation strategies: 1) Immediately restrict or disable SVG file uploads in MetInfo CMS until a patch is available. 2) Employ strict server-side validation and sanitization of SVG files, using libraries that can safely parse and remove embedded scripts or disallowed elements. 3) Implement Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. 4) Monitor web server logs and CMS activity for unusual upload patterns or access to SVG files. 5) Educate CMS administrators about the risks of uploading untrusted SVG files and encourage the use of alternative image formats where possible. 6) Stay updated with MetInfo CMS vendor advisories for patches or security updates addressing this vulnerability and apply them promptly. 7) Consider deploying Web Application Firewalls (WAF) with rules to detect and block malicious SVG payloads. These measures go beyond generic advice by focusing on the specific vector (SVG uploads) and the affected CMS component.