CVE-2025-27823: XSS
An issue was discovered in the Mail Disguise module before 1.x-1.0.5 for Backdrop CMS. It enables a website to obfuscate email addresses, and should prevent spambots from collecting them. The module doesn't sufficiently validate the data attribute value on links, potentially leading to a Cross Site Scripting (XSS) vulnerability. This is mitigated by the fact an attacker must be able to insert link (<a>) HTML elements containing data attributes into the page.
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2025-27823?
CVE-2025-27823 is classified as a high severity vulnerability affecting Backdrop CMS.
What impact does CVE-2025-27823 have on Backdrop CMS?
CVE-2025-27823 allows attackers to exploit insufficient validation in the Mail Disguise module, potentially leading to Cross Site Scripting (XSS) attacks.
How do I fix CVE-2025-27823?
To fix CVE-2025-27823, update the Mail Disguise module to version 1.x-1.0.5 or later.
Who is affected by CVE-2025-27823?
Websites using the Mail Disguise module version prior to 1.x-1.0.5 in Backdrop CMS are affected by CVE-2025-27823.
Is there a workaround for CVE-2025-27823?
There are no specific workarounds for CVE-2025-27823; the recommended action is to update the affected module.