CVE-2025-60453 is a stored Cross-Site Scripting (XSS) vulnerability identified in MetInfo CMS version 8.0, specifically within the column management module located in the app\system\column\admin\index.class.php component. The vulnerability arises from improper sanitization and validation of SVG file uploads, allowing attackers to upload malicious SVG files containing embedded JavaScript code. When these SVG files are viewed or accessed by users, the embedded JavaScript executes in the context of the victim's browser, enabling attackers to perform actions such as session hijacking, credential theft, or delivering further malicious payloads. Stored XSS is particularly dangerous because the malicious script is persistently stored on the server and served to multiple users, increasing the attack surface. The vulnerability does not require user interaction beyond viewing the malicious SVG file, and exploitation does not require authentication, as the upload mechanism is part of the column management module, which may be accessible to authenticated users or potentially misconfigured to allow broader access. No CVSS score is currently assigned, and no known exploits are reported in the wild as of the publication date. However, the presence of this vulnerability in a CMS platform used for website content management poses a significant risk, especially if the platform is used by organizations managing sensitive or high-traffic websites.

For European organizations using MetInfo CMS version 8.0, this vulnerability could lead to significant security breaches. Successful exploitation can compromise the confidentiality of user data through session hijacking or theft of authentication tokens. Integrity can be affected by unauthorized content injection or manipulation of displayed information. Availability impact is generally low for XSS but could be indirectly affected if attackers use the vulnerability to deploy further attacks such as malware distribution or phishing campaigns. Given the persistent nature of stored XSS, multiple users including administrators and site visitors could be affected, amplifying the potential damage. Organizations in sectors such as government, finance, healthcare, and e-commerce, which rely on web platforms for critical services, may face reputational damage, regulatory penalties under GDPR for data breaches, and operational disruptions. The lack of a patch or mitigation guidance increases the urgency for affected organizations to implement compensating controls.

To mitigate this vulnerability, organizations should first verify if they are using MetInfo CMS version 8.0 and assess whether the column management module is in use. Immediate steps include disabling SVG file uploads or restricting upload functionality to trusted administrators only. Implement strict server-side validation and sanitization of uploaded SVG files to remove or neutralize embedded scripts. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit the sources from which scripts can be loaded. Regularly monitor and audit uploaded content for malicious files. If possible, upgrade to a patched version of MetInfo CMS once available. Additionally, web application firewalls (WAFs) can be configured to detect and block malicious SVG payloads. Educate administrators and users about the risks of interacting with untrusted content. Finally, conduct thorough penetration testing and code reviews focusing on file upload functionalities to prevent similar vulnerabilities.