CVE-2025-35060 – Newforma Info Exchange (NIX) has a cross-site s... (How to Fix)

Q: What is the severity of CVE-2025-35060?

CVE-2025-35060 has a CVSS score of 5.5 (MEDIUM). Newforma Info Exchange (NIX) has a cross-site scripting (XSS) vulnerability in its 'Send a File Transfer' feature that allows authenticated attackers to upload malicious SVG files. When viewed through mobile web browsers, these files can execute arbitrary JavaScript in the victim's context. This affects organizations using NIX with authenticated user access.

📋 TL;DR

Newforma Info Exchange (NIX) has a cross-site scripting (XSS) vulnerability in its 'Send a File Transfer' feature that allows authenticated attackers to upload malicious SVG files. When viewed through mobile web browsers, these files can execute arbitrary JavaScript in the victim's context. This affects organizations using NIX with authenticated user access.

💻 Affected Systems

Products:

Newforma Info Exchange (NIX)

Versions: Specific versions not detailed in CVE; all versions with vulnerable 'Send a File Transfer' feature are affected.

Operating Systems: Windows Server (typical deployment), Linux (if applicable)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is present in default configurations where the file transfer feature is enabled and SVG uploads are permitted.

📦 What is this software?

Project Center by Newforma

View all CVEs affecting Project Center →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or compromise user accounts through stored XSS.

🟠

Likely Case

Session hijacking, credential theft, or defacement of the application interface for users accessing via mobile browsers.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.

🌐 Internet-Facing: MEDIUM - Requires authenticated access but affects internet-facing NIX instances accessible via mobile browsers.

🏢 Internal Only: MEDIUM - Internal users with authenticated access could be targeted via malicious SVG uploads.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated attacker access and victim using mobile browser to view malicious SVG. SVG files with embedded JavaScript are the attack vector.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Newforma vendor advisory for specific patched versions.

Vendor Advisory: https://www.newforma.com/security-advisories/ (check for CVE-2025-35060)

Restart Required: No

Instructions:

1. Apply the latest security patch from Newforma. 2. Verify the patch addresses SVG file validation. 3. Test the 'Send a File Transfer' feature post-patch.

🔧 Temporary Workarounds

Disable SVG uploads

all

Configure NIX to block SVG file uploads in the file transfer feature.

Configure via NIX admin interface: Settings > File Transfer > Allowed File Types - remove .svg

Implement Content Security Policy

all

Add CSP headers to prevent inline script execution from SVG files.

Add to web server config: Content-Security-Policy: script-src 'self'

🧯 If You Can't Patch

Restrict file upload permissions to trusted users only.
Monitor and audit SVG file uploads through the file transfer feature.

🔍 How to Verify

Check if Vulnerable:

Test by uploading an SVG file with JavaScript content via the 'Send a File Transfer' feature and attempting to view it on a mobile browser.

Check Version:

Check NIX version via admin interface or consult Newforma documentation.

Verify Fix Applied:

After patching, attempt the same test; JavaScript should not execute in the SVG.

📡 Detection & Monitoring

Log Indicators:

Unusual SVG file uploads via file transfer feature
Multiple failed SVG upload attempts

Network Indicators:

HTTP requests for SVG files with suspicious parameters
Unexpected JavaScript execution in file transfer sessions

SIEM Query:

source="nix_logs" AND (file_extension=".svg" OR file_type="image/svg+xml")

📊 Metadata

CVE ID: CVE-2025-35060

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

CWE: CWE-79

EPSS Score: 0.07% exploit probability (21.7th percentile)

Published: October 9, 2025

Last Updated: October 22, 2025

🔗 References

https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-282-01.json Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2025-35060 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-35060, you might also want to check these: