REDAXO CMS Stored Cross-Site Scripting Vulnerability in Module Management Component

A stored cross-site scripting vulnerability has been identified in REDAXO CMS version 5.20.0, specifically within the module management component. This vulnerability allows remote users to inject arbitrary web scripts or HTML into the Output code field of modules. The injected payload is executed when a user views or edits an article that includes a slice using the compromised module.

Impact

Exploitation of this vulnerability allows for the injection of malicious scripts that are executed in the context of the user viewing the affected article, potentially leading to session hijacking or other malicious actions.

Reproduction

To reproduce this vulnerability, navigate to the module section and create a new module. Inject a script, such as an SVG image with an 'onload' event, into the Output code field. After saving the module, go to the structure page and add a slice that uses the compromised module. When the slice is saved, the injected script will execute, confirming the cross-site scripting vulnerability.

Remediation

The vulnerability can be mitigated by properly escaping user-generated content before it is rendered in the browser. All HTML content from module code fields should be treated as untrusted on output.