REDAXO allows Authenticated Reflected Cross Site Scripting - packages installation

CVE-2025-27412 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

Summary

Reflected cross-site scripting (XSS) is a type of web vulnerability that occurs when a web application fails to properly sanitize user input, allowing an attacker to inject malicious code into the application's response to a user's request. When the user's browser receives the response, the malicious code is executed, potentially allowing the attacker to steal sensitive information or take control of the user's account.

Details

On the latest version of Redaxo, v5.18.2, the rex-api-result parameter is vulnerable to Reflected cross-site scripting (XSS) on the page of AddOns.

PoC

  1. Login Redaxo as administrative user.
  2. Navigate to the URL: http://localhost/redaxo/index.php?page=packages&rex-api-call=package&&rex-api-result={%22succeeded%22%3Atrue%2C%22message%22%3A%22%3Cimg%20src=x%20onerror=alert(document.domain);%3E%22}, the XSS executes.

2025-02-14_13-45

Impact

This can lead to various security risks, including session hijacking, phishing attacks and malware distribution. History page visible to administrative user and when an administrator views the infected page, the attacker may gain elevated privileges, further compromising the system.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2025-03-05 19:03:08 UTC
Updated
2025-03-05 19:03:09 UTC
GitHub reviewed
2025-03-05 19:03:08 UTC
NVD published
2025-03-05

EPSS Score

Score Percentile
0.84% 74.71%

CVSS Scores

Base score Version Severity Vector
6.1 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

Type Value
GHSA GHSA-8366-xmgf-334f ↗
CVE CVE-2025-27412 ↗

CWEs

CWE id Name
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Credits

  • 0xadik (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer redaxo/source >= 5.0.0, < 5.18.3 5.18.3

References

cvelogic Threat Intelligence