CVE-2024-46209 – A stored cross-site scripting (XSS) vulnerabili... (How to Fix)

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability in REDAXO CMS v5.17.1 allows attackers to inject malicious scripts into the password parameter of the /media/test.html component. This enables execution of arbitrary web scripts or HTML when users access the compromised page. All REDAXO CMS v5.17.1 installations with the vulnerable component are affected.

💻 Affected Systems

Products:

REDAXO CMS

Versions: v5.17.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the /media/test.html component which appears to be a testing or development file that may not be present in all installations.

📦 What is this software?

Redaxo by Redaxo

View all CVEs affecting Redaxo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform account takeover, deface websites, or redirect users to malicious sites, potentially leading to complete system compromise if combined with other vulnerabilities.

🟠

Likely Case

Attackers inject malicious JavaScript to steal user session cookies or credentials, potentially gaining administrative access to the CMS backend.

🟢

If Mitigated

With proper input validation and output encoding, the payload would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The GitHub repository contains proof-of-concept code demonstrating the vulnerability. The exploit requires access to the vulnerable endpoint but doesn't require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified

Vendor Advisory: Not found

Restart Required: No

Instructions:

1. Check REDAXO CMS official website for security updates
2. Upgrade to a patched version when available
3. Remove or secure the /media/test.html component immediately

🔧 Temporary Workarounds

Remove vulnerable component

linux

Delete or restrict access to the /media/test.html file

rm /path/to/redaxo/media/test.html

Implement WAF rules

all

Add web application firewall rules to block XSS payloads targeting the password parameter

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to prevent script execution
Deploy a web application firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check if /media/test.html exists in your REDAXO installation and test with a harmless XSS payload like <script>alert('test')</script> in the password parameter

Check Version:

Check REDAXO version in admin panel or examine /redaxo/data/core/config.yml

Verify Fix Applied:

After removing the file or implementing controls, attempt to access /media/test.html and verify it returns 404 or properly sanitizes input

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /media/test.html with script tags or encoded payloads in parameters
Unusual POST requests to test.html endpoint

Network Indicators:

Traffic patterns showing repeated access to test.html with encoded payloads

SIEM Query:

source="web_logs" AND uri_path="/media/test.html" AND (query_string CONTAINS "script" OR query_string CONTAINS "javascript:" OR query_string CONTAINS "onerror=")

📊 Metadata

CVE ID: CVE-2024-46209

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.44% exploit probability (62.6th percentile)

Published: January 6, 2025

Last Updated: June 13, 2025

🔗 References

https://github.com/h4ckr4v3n/CVE-2024-46209/blob/main/REDAXO%20Stored%20XSS%20%2B%20RCE.pdf Exploit,Third Party Advisory
https://github.com/h4ckr4v3n/research_redaxo_5_17_1.git Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-46209, you might also want to check these: