CVE-2025-64049
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in REDAXO CMS 5.20.0 allows remote authenticated users to inject malicious scripts into the module management component. When other users view or edit articles using compromised modules, the scripts execute in their browsers, potentially stealing session cookies or performing unauthorized actions. This affects all REDAXO CMS installations running version 5.20.0 with module management enabled.
💻 Affected Systems
- REDAXO CMS
📦 What is this software?
Redaxo by Redaxo
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over CMS administration, deface websites, or redirect users to malicious sites.
Likely Case
Attackers with module editing privileges could inject scripts that steal user session data or perform limited unauthorized actions within the CMS.
If Mitigated
With proper input validation and output encoding, scripts would be rendered harmless as text rather than executed.
🎯 Exploit Status
Exploitation requires authenticated access to module management. Public proof-of-concept exists in GitHub disclosures.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.20.1 or later
Vendor Advisory: https://github.com/redaxo/redaxo
Restart Required: No
Instructions:
1. Backup your REDAXO installation and database
2. Download REDAXO 5.20.1 or later from official repository
3. Replace existing installation files with patched version
4. Clear browser cache and test module functionality
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation for module output fields to strip or encode script tags
Implement custom validation in module PHP files to sanitize output field input
Content Security Policy
allImplement strict CSP headers to prevent script execution from untrusted sources
Add 'Content-Security-Policy: script-src 'self'' to web server configuration
🧯 If You Can't Patch
- Restrict module editing permissions to trusted administrators only
- Implement web application firewall rules to block XSS payload patterns in POST requests to module endpoints
🔍 How to Verify
Check if Vulnerable:
Check if REDAXO version is exactly 5.20.0 by viewing admin dashboard or checking version.php fileCheck Version:
grep "REX_VERSION" redaxo/src/core/version.phpVerify Fix Applied:
Verify installation shows version 5.20.1 or later in admin dashboard📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to module management endpoints with script tags in parameters
- Multiple failed login attempts followed by module editing activity
Network Indicators:
- HTTP requests containing <script> tags in POST body to /redaxo/index.php?page=modules paths
SIEM Query:
source="web_logs" AND (uri_path="/redaxo/index.php" AND query_string="*page=modules*" AND (body="*<script>*" OR body="*javascript:*"))