CVE-2025-27412
📋 TL;DR
CVE-2025-27412 is a reflected cross-site scripting (XSS) vulnerability in REDAXO CMS that allows attackers to inject malicious scripts via the rex-api-result parameter. This affects administrators and users accessing the AddOns page in vulnerable installations. Attackers could steal session cookies, perform actions as authenticated users, or redirect to malicious sites.
💻 Affected Systems
- REDAXO CMS
📦 What is this software?
Redaxo by Redaxo
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full administrative access to the CMS, deface websites, install backdoors, or pivot to internal systems.
Likely Case
Attackers trick administrators into clicking malicious links, stealing their session to modify content, install malicious addons, or access sensitive data.
If Mitigated
With proper input validation and output encoding, the attack would fail to execute malicious scripts, limiting impact to parameter reflection without execution.
🎯 Exploit Status
Reflected XSS typically requires social engineering but is trivial to exploit once a malicious URL is crafted. No authentication required to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.18.3
Vendor Advisory: https://github.com/redaxo/redaxo/security/advisories/GHSA-8366-xmgf-334f
Restart Required: No
Instructions:
1. Backup your REDAXO installation and database. 2. Download REDAXO 5.18.3 or newer from the official website. 3. Replace all files with the new version, preserving your data directory. 4. Clear browser cache and test functionality.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to sanitize the rex-api-result parameter before processing.
Modify the affected PHP file to apply htmlspecialchars() or filter_var() to the parameter
Content Security Policy
allImplement CSP headers to restrict script execution sources.
Add 'Content-Security-Policy: script-src 'self'' to your web server configuration
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules to block malicious parameter values.
- Restrict access to the AddOns page to trusted IP addresses only using .htaccess or server configuration.
🔍 How to Verify
Check if Vulnerable:
Check if your REDAXO version is between 5.0.0 and 5.18.2 by viewing the version in the admin panel or checking the redaxo/src/core/version.php file.Check Version:
grep "REDAXO_VERSION" redaxo/src/core/version.phpVerify Fix Applied:
After updating, confirm the version is 5.18.3 or higher and test that malicious script payloads in the rex-api-result parameter are properly encoded/blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual long or encoded parameter values in rex-api-result
- Requests to AddOns page with script tags or JavaScript in parameters
Network Indicators:
- HTTP requests containing <script> tags or JavaScript code in the rex-api-result parameter
SIEM Query:
web.url:*rex-api-result=* AND (web.url:*<script>* OR web.url:*javascript:* OR web.url:*onerror=*)