ghsa-x6vr-q3vf-vqgq
Vulnerability from github
Published
2025-11-25 23:53
Modified
2025-11-27 09:01
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
REDAXO CMS is vulnerable to Reflected XSS in Mediapool Info Banner via args[types]
Details

Summary

A reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter args[types] is rendered into an info banner without HTML-escaping. This allows arbitrary JavaScript execution in the backend context when an authenticated user visits a crafted link while logged in.

Details

Control Flow:

  1. redaxo/src/addons/mediapool/pages/index.php reads args via rex_request('args', 'array') and passes them through as $argUrl to media.list.php.
  2. redaxo/src/addons/mediapool/pages/media.list.php injects $argUrl['args']['types'] into an HTML string without escaping:

if (!empty($argUrl['args']['types'])) { echo rex_view::info(rex_i18n::msg('pool_file_filter') . ' <code>' . $argUrl['args']['types'] . '</code>'); }

PoC

  1. Log into the REDAXO backend.
  2. While authenticated, open a crafted URL like: <host>/index.php?page=mediapool/media&args[types]="><img+src%3Dx+onerror%3Dalert%28document.domain%29>
  3. The info banner displays the unescaped value and activates the injected onerror handler, which opens an alert pop-up.

Impact

Arbitrary JavaScript execution in the backend, enabling theft of session cookies, CSRF tokens, or other sensitive data, and allowing an attacker to perform any administrative actions on behalf of the affected user.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "redaxo/source"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.20.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66026"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-25T23:53:04Z",
    "nvd_published_at": "2025-11-26T03:15:58Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter `args[types]` is rendered into an info banner without HTML-escaping. This allows arbitrary JavaScript execution in the backend context when an authenticated user visits a crafted link while logged in.\n\n### Details\n\nControl Flow:\n\n1. `redaxo/src/addons/mediapool/pages/index.php` reads args via `rex_request(\u0027args\u0027, \u0027array\u0027)` and passes them through as `$argUrl` to `media.list.php`.\n2. `redaxo/src/addons/mediapool/pages/media.list.php` injects `$argUrl[\u0027args\u0027][\u0027types\u0027]` into an HTML string without escaping:\n\n```\nif (!empty($argUrl[\u0027args\u0027][\u0027types\u0027])) {\n    echo rex_view::info(rex_i18n::msg(\u0027pool_file_filter\u0027) . \u0027 \u003ccode\u003e\u0027 . $argUrl[\u0027args\u0027][\u0027types\u0027] . \u0027\u003c/code\u003e\u0027);\n}\n```\n\n### PoC\n\n1. Log into the REDAXO backend.\n2. While authenticated, open a crafted URL like: `\u003chost\u003e/index.php?page=mediapool/media\u0026args[types]=\"\u003e\u003cimg+src%3Dx+onerror%3Dalert%28document.domain%29\u003e`\n4. The info banner displays the unescaped value and activates the injected onerror handler, which opens an alert pop-up.\n\n### Impact\nArbitrary JavaScript execution in the backend, enabling theft of session cookies, CSRF tokens, or other sensitive data, and allowing an attacker to perform any administrative actions on behalf of the affected user.",
  "id": "GHSA-x6vr-q3vf-vqgq",
  "modified": "2025-11-27T09:01:42Z",
  "published": "2025-11-25T23:53:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/redaxo/redaxo/security/advisories/GHSA-x6vr-q3vf-vqgq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66026"
    },
    {
      "type": "WEB",
      "url": "https://github.com/redaxo/redaxo/commit/58929062312cf03e344ab04067a365e6b6ee66aa"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/redaxo/redaxo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "REDAXO CMS is vulnerable to Reflected XSS in Mediapool Info Banner via args[types]"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.