Listen to this Post
How the CVE Works
CVE-2025-27412 is a reflected Cross-Site Scripting (XSS) vulnerability in REDAXO CMS versions 5.0.0 through 5.18.2. The flaw exists in the `rex-api-result` parameter, which fails to properly sanitize user-supplied input before rendering it in the AddOns page. An attacker can craft a malicious URL containing JavaScript payloads, which executes when an authenticated admin visits the manipulated link. This allows arbitrary script execution in the context of the admin session, potentially leading to session hijacking or unauthorized actions. The issue is patched in version 5.18.3.
DailyCVE Form
Platform: REDAXO CMS
Version: 5.0.0 – 5.18.2
Vulnerability: Reflected XSS
Severity: Medium
Date: 07/01/2025
Prediction: Patch expected by 03/10/2025
What Undercode Say
curl -X GET "http://redaxo-site/addons?rex-api-result=<script>alert('XSS')</script>"
// Example vulnerable code snippet echo $_GET['rex-api-result']; // Unsanitized output
How Exploit
1. Craft malicious URL with JavaScript payload.
2. Trick admin into clicking the link.
3. Payload executes in admin context.
Protection from this CVE
Update to REDAXO 5.18.3.
Sanitize `rex-api-result` input.
Implement Content Security Policy (CSP).
Impact
Session hijacking.
Unauthorized admin actions.
Data manipulation.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
