CVE-2025-66026
📋 TL;DR
This is a reflected Cross-Site Scripting (XSS) vulnerability in REDAXO CMS that allows arbitrary JavaScript execution in the backend when authenticated users click malicious links. Attackers can steal session cookies, perform actions as the victim, or redirect to malicious sites. Only authenticated backend users are affected.
💻 Affected Systems
- REDAXO CMS
📦 What is this software?
Redaxo by Redaxo
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full administrative control of the CMS, modifies content, installs backdoors, or steals sensitive data from all authenticated users.
Likely Case
Attacker steals session cookies to hijack authenticated user accounts, performs limited administrative actions, or redirects users to phishing sites.
If Mitigated
With proper input validation and output encoding, the attack fails silently with no impact on system integrity or data confidentiality.
🎯 Exploit Status
Exploitation requires social engineering to trick authenticated users into clicking crafted links; no authentication bypass needed
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.20.1
Vendor Advisory: https://github.com/redaxo/redaxo/security/advisories/GHSA-x6vr-q3vf-vqgq
Restart Required: No
Instructions:
1. Backup your REDAXO installation and database. 2. Download REDAXO 5.20.1 or newer from official sources. 3. Replace all files with the new version. 4. Clear any caching mechanisms. 5. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to sanitize the args[types] parameter before processing
Modify the affected PHP file to apply htmlspecialchars() or filter_var() to the args[types] parameter
Content Security Policy
allImplement strict CSP headers to prevent JavaScript execution from untrusted sources
Add 'Content-Security-Policy: script-src 'self'' to HTTP headers
🧯 If You Can't Patch
- Restrict backend access to trusted IP addresses only using firewall rules
- Implement web application firewall (WAF) rules to block XSS payloads in the args[types] parameter
🔍 How to Verify
Check if Vulnerable:
Check if REDAXO version is below 5.20.1 by viewing the version in admin panel or checking the redaxo/src/core/version.php fileCheck Version:
php -r "include 'redaxo/src/core/version.php'; echo \$REX['VERSION'].'.'.\$REX['SUBVERSION'].'.'.\$REX['MINORVERSION'];"Verify Fix Applied:
After updating, verify the version shows 5.20.1 or higher and test that the args[types] parameter is now properly HTML-escaped in Mediapool view📡 Detection & Monitoring
Log Indicators:
- Unusual GET requests containing JavaScript in args[types] parameter
- Multiple failed login attempts followed by successful login and XSS payload access
Network Indicators:
- HTTP requests with suspicious JavaScript code in URL parameters
- Unusual outbound connections from backend to external domains after XSS execution
SIEM Query:
source="web_logs" AND (url="*args[types]*<script>*" OR url="*args[types]*javascript:*")