CVE-2024-50803
📋 TL;DR
CVE-2024-50803 is a cross-site scripting (XSS) vulnerability in Redaxo CMS's mediapool feature that allows attackers to inject malicious scripts. This affects Redaxo CMS administrators who can access the mediapool interface, potentially leading to privilege escalation. The vulnerability requires user interaction but can be exploited by tricking administrators into viewing malicious content.
💻 Affected Systems
- Redaxo CMS
📦 What is this software?
Redaxo by Redaxo
⚠️ Risk & Real-World Impact
Worst Case
An attacker could execute arbitrary JavaScript in an administrator's browser session, potentially stealing session cookies, performing actions as the administrator, or installing backdoors.
Likely Case
Attackers could steal administrator session tokens and gain unauthorized access to the CMS backend, allowing content manipulation or further system compromise.
If Mitigated
With proper input validation and output encoding, the attack would fail to execute malicious scripts, limiting impact to benign content display issues.
🎯 Exploit Status
Proof of concept available on GitHub. Exploitation requires social engineering to trick administrators into interacting with malicious media files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.17.2 or later
Vendor Advisory: http://redaxo.com
Restart Required: No
Instructions:
1. Backup your Redaxo installation. 2. Download the latest version from redaxo.org. 3. Replace the core files with the patched version. 4. Clear browser cache and test functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation for mediapool file names and metadata
Modify mediapool PHP files to sanitize user input using htmlspecialchars() or similar functions
Content Security Policy
allImplement CSP headers to restrict script execution
Add 'Content-Security-Policy: script-src 'self'' to HTTP headers
🧯 If You Can't Patch
- Restrict mediapool access to trusted administrators only
- Implement web application firewall rules to block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check if running Redaxo version 5.17.1 and test mediapool for unsanitized input handlingCheck Version:
Check Redaxo admin panel or examine /redaxo/src/core/version.phpVerify Fix Applied:
Verify version is 5.17.2 or later and test that script tags in media metadata are properly encoded📡 Detection & Monitoring
Log Indicators:
- Unusual media uploads with script-like content
- Multiple failed authentication attempts followed by mediapool access
Network Indicators:
- HTTP requests containing script tags in mediapool parameters
- Unusual outbound connections from CMS server
SIEM Query:
source="web_logs" AND (uri_path="/redaxo/index.php?page=mediapool" AND (query_string CONTAINS "<script>" OR query_string CONTAINS "javascript:"))