CVE-2025-60454 is a stored Cross-Site Scripting (XSS) vulnerability identified in MetInfo CMS version 8.0, specifically within the image management module located in the app\system\img\admin\img_admin.class.php component. The vulnerability arises because the system allows attackers to upload SVG files that contain embedded JavaScript code. When these malicious SVG files are subsequently viewed or accessed by users, the embedded JavaScript executes in their browsers. Stored XSS vulnerabilities are particularly dangerous because the malicious payload is saved on the server and served to multiple users, potentially affecting any user who accesses the compromised content. The attack vector involves uploading a crafted SVG file that bypasses any existing input validation or sanitization controls. Since SVG files are XML-based and can contain script elements, if the CMS does not properly sanitize or restrict SVG content, attackers can embed JavaScript that executes in the context of the victim's browser session. This can lead to session hijacking, credential theft, unauthorized actions on behalf of the user, or distribution of malware. The vulnerability is notable because it targets an administrative component (image management), which may be accessed by privileged users, increasing the risk of privilege escalation or further compromise. No CVSS score is currently assigned, and no known exploits are reported in the wild as of the publication date. However, the nature of stored XSS and the ability to upload malicious files make this a significant security concern. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps by administrators using MetInfo CMS 8.0.

For European organizations using MetInfo CMS 8.0, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of their web applications and user data. Exploitation could allow attackers to execute arbitrary JavaScript in the browsers of users, including administrators, potentially leading to session hijacking, theft of sensitive information, unauthorized administrative actions, or the spread of malware. This could result in data breaches, reputational damage, regulatory non-compliance (e.g., GDPR violations), and operational disruptions. Since the vulnerability resides in an administrative module, exploitation could facilitate deeper system compromise or lateral movement within the organization’s infrastructure. European organizations in sectors such as government, finance, healthcare, and e-commerce, which often rely on CMS platforms for public-facing websites or intranet portals, are particularly at risk. The absence of known exploits currently reduces immediate threat levels but does not eliminate the risk, as attackers may develop exploits rapidly once the vulnerability is public. The potential impact is amplified by the ability to target multiple users through stored XSS, increasing the attack surface and potential damage.

1. Immediate Restriction: Disable or restrict the image upload functionality in the MetInfo CMS image management module until a patch is available. 2. Input Validation and Sanitization: Implement strict server-side validation to reject SVG files containing script elements or other potentially malicious content. Use SVG sanitization libraries that remove JavaScript and other executable content from SVG files before allowing uploads. 3. Content Security Policy (CSP): Deploy a robust CSP on affected web applications to restrict the execution of inline scripts and limit the domains from which scripts can be loaded, mitigating the impact of XSS. 4. User Access Controls: Limit access to the image management module to only trusted administrators and monitor their activities closely. 5. Monitoring and Logging: Enable detailed logging of file uploads and access to uploaded images to detect suspicious activity. 6. Patch Management: Monitor MetInfo CMS vendor communications for official patches or updates addressing this vulnerability and apply them promptly. 7. Web Application Firewall (WAF): Use a WAF with rules designed to detect and block malicious SVG uploads or XSS payloads. 8. Educate Users: Train administrators and users to recognize suspicious behavior and report anomalies related to image uploads or website behavior. These steps go beyond generic advice by focusing on the specific attack vector (malicious SVG uploads) and the affected component (image management module).