Search for packages
| purl | pkg:composer/redaxo/source@5.10.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-43rj-4gkz-nkh9
Aliases: CVE-2025-27411 GHSA-wppf-gqj5-fc4f |
REDAXO is a PHP-based CMS. In Redaxo before 5.18.3, the mediapool/media page is vulnerable to arbitrary file upload. This vulnerability is fixed in 5.18.3. |
Affected by 4 other vulnerabilities. |
|
VCID-6khs-z7j6-t3d5
Aliases: CVE-2026-21857 GHSA-824x-88xg-cwrv |
REDAXO is a PHP-based content management system. Prior to version 5.20.2, authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. The Backup addon does not validate the `EXPDIR` POST parameter against the UI-generated allowlist of permitted directories. An attacker can supply relative paths containing `../` sequences (or even absolute paths inside the document root) to include any readable file in the generated `.tar.gz` archive. Version 5.20.2 fixes this issue. |
Affected by 0 other vulnerabilities. |
|
VCID-9tsa-vfy2-4ye8
Aliases: CVE-2024-50803 GHSA-m5vv-7jxc-8p6x |
The mediapool feature of the Redaxo Core CMS application v 5.17.1 is vulnerable to Cross Site Scripting(XSS) which allows a remote attacker to escalate privileges |
Affected by 7 other vulnerabilities. |
|
VCID-a7bz-5fnn-27bn
Aliases: CVE-2024-25298 GHSA-7f2v-5877-rx3x |
An issue was discovered in REDAXO version 5.15.1, allows attackers to execute arbitrary code and obtain sensitive information via modules.modules.php. |
Affected by 10 other vulnerabilities. |
|
VCID-cvjn-52xx-t7af
Aliases: CVE-2025-64049 GHSA-vqc7-7fj4-3fm3 |
A stored cross-site scripting (XSS) vulnerability in the module management component in REDAXO CMS 5.20.0 allows remote users to inject arbitrary web script or HTML via the Output code field in modules. The payload is executed when a user views or edits an article by adding slice that uses the compromised module. |
Affected by 1 other vulnerability. |
|
VCID-hb2z-pwuj-qyax
Aliases: CVE-2025-27412 GHSA-8366-xmgf-334f |
REDAXO is a PHP-based CMS. In Redaxo from 5.0.0 through 5.18.2, the rex-api-result parameter is vulnerable to Reflected cross-site scripting (XSS) on the page of AddOns. This vulnerability is fixed in 5.18.3. |
Affected by 4 other vulnerabilities. |
|
VCID-kqky-74hg-fkc6
Aliases: CVE-2024-46209 GHSA-2p95-8xvm-2pjx |
A stored cross-site scripting (XSS) vulnerability in the component /media/test.html of REDAXO CMS v5.17.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the password parameter. |
Affected by 7 other vulnerabilities. |
|
VCID-vbpx-vpps-q7g2
Aliases: CVE-2025-66026 GHSA-x6vr-q3vf-vqgq |
REDAXO is a PHP-based CMS. Prior to version 5.20.1, a reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter args[types] is rendered into an info banner without HTML-escaping. This allows arbitrary JavaScript execution in the backend context when an authenticated user visits a crafted link while logged in. This issue has been patched in version 5.20.1. |
Affected by 1 other vulnerability. |
|
VCID-wj2a-1yb5-tyde
Aliases: CVE-2025-64050 GHSA-xj9j-gjxg-7jvq |
A Remote Code Execution (RCE) vulnerability in the template management component in REDAXO CMS 5.20.0 allows remote authenticated administrators to execute arbitrary operating system commands by injecting PHP code into an active template. The payload is executed when visitors access frontend pages using the compromised template. |
Affected by 1 other vulnerability. |
|
VCID-wrm2-fcq1-aqfj
Aliases: CVE-2024-46212 GHSA-37gm-h5wr-pf25 |
An issue in the component /index.php?page=backup/export of REDAXO CMS v5.17.1 allows attackers to execute a directory traversal. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||