REDAXO CMS Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in REDAXO CMS versions 5.0.0 through 5.18.2. The issue arises on the AddOns page, where the rex-api-result parameter is not properly sanitized, allowing for the injection of malicious scripts. This vulnerability can be exploited by administrative users.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser. This could lead to session hijacking, phishing attacks, or malware distribution. In this case, an administrator could be targeted, potentially allowing the attacker to gain elevated privileges and further compromise the system.

Reproduction

To reproduce this vulnerability, log into REDAXO as an administrative user and navigate to the AddOns page. Then, use the rex-api-result parameter to inject a script, such as an image tag with an 'onerror' event, which will execute a JavaScript alert.

Remediation

Users can upgrade to REDAXO version 5.18.3, where this vulnerability has been patched.