CVE-2025-64049 in Redaxo
Summary
by MITRE • 11/25/2025
A stored cross-site scripting (XSS) vulnerability in the module management component in REDAXO CMS 5.20.0 allows remote users to inject arbitrary web script or HTML via the Output code field in modules. The payload is executed when a user views or edits an article by adding slice that uses the compromised module.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/25/2025
This vulnerability represents a critical stored cross-site scripting flaw within the module management component of REDAXO CMS version 5.20.0. The security issue stems from insufficient input validation and output sanitization mechanisms in the administrative interface where users can define module output code. Attackers can exploit this weakness by injecting malicious JavaScript payloads into the Output code field of modules, which then gets stored within the CMS database. When legitimate users subsequently view or edit articles that contain slices utilizing these compromised modules, the malicious code executes within their browser context, potentially leading to session hijacking, credential theft, or further exploitation of the victim's system. The vulnerability specifically affects the module management workflow where administrators define how content slices should be rendered, creating a persistent attack vector that remains active until the malicious code is removed from the database.
The technical implementation of this vulnerability aligns with CWE-79, which describes cross-site scripting flaws occurring when untrusted data is incorporated into web pages without proper validation or encoding. The attack vector operates through the module management interface where administrators can define custom output code that gets executed in the context of user browsers. This stored XSS vulnerability is particularly dangerous because it persists in the database and can affect multiple users who interact with affected content slices. The exploitation requires minimal privileges since attackers only need access to the module management functionality, which is typically available to content editors and administrators. The payload execution occurs during normal CMS operations when users view or edit articles, making detection difficult as the malicious code appears legitimate within the normal content rendering process.
The operational impact of this vulnerability extends beyond simple script execution to potentially enable full account takeovers and privilege escalation within the CMS environment. An attacker could craft payloads that steal session cookies, redirect users to malicious sites, or inject additional malicious content into the CMS interface. This vulnerability particularly affects organizations that rely heavily on module-based content management and allow non-privileged users to modify module definitions. The persistent nature of stored XSS means that even if administrators later patch the vulnerability, previously injected payloads continue to execute until manually removed from the database. Additionally, the attack can be amplified through social engineering tactics where administrators are tricked into editing compromised modules, or through automated scanning tools that identify vulnerable installations.
Mitigation strategies should focus on immediate patching of the REDAXO CMS to version 5.20.1 or later where this vulnerability has been addressed. Organizations should implement comprehensive input validation and output encoding mechanisms throughout the module management interface to prevent unauthorized code injection. Regular security audits of module definitions and content management workflows should be conducted to identify and remove malicious payloads. Network segmentation and monitoring solutions should be deployed to detect unusual patterns of module access or content modification that might indicate exploitation attempts. Administrative privileges should be strictly controlled and regularly reviewed to minimize the attack surface. Implementing content security policies and using security headers can provide additional defense-in-depth measures. The vulnerability also highlights the importance of secure coding practices and input sanitization in CMS platforms, particularly in components that handle user-defined code execution. Organizations should consider implementing automated scanning tools to identify similar vulnerabilities in other CMS components and third-party plugins that might be susceptible to similar cross-site scripting attacks.