REDAXO Mediapool Reflected Cross-Site Scripting Vulnerability

A reflected Cross-Site Scripting (XSS) vulnerability has been identified in the REDAXO CMS Mediapool view, in versions prior to 5.20.1. The issue arises because the request parameter 'args[types]' is inserted into an info banner without proper HTML escaping. This flaw enables the execution of arbitrary JavaScript in the backend context, potentially allowing an authenticated user to be tricked into clicking a malicious link while logged in.

Impact

Exploitation of this vulnerability allows for arbitrary JavaScript execution in the backend, which could lead to the theft of session cookies, CSRF tokens, or other sensitive information. This also enables an attacker to perform administrative actions on behalf of the affected user.

Reproduction

To reproduce this vulnerability, log into the REDAXO backend as an authenticated user. Then, open a crafted URL that includes a payload in the 'args[types]' parameter, such as one that uses an image tag with an 'onerror' event. The info banner will display the unescaped content and execute the JavaScript, such as showing an alert with the document domain.

Remediation

Users can update to REDAXO version 5.20.1 or later to address this vulnerability.