REDAXO is a PHP-based CMS. Prior to version 5.20.1, a reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter args[types] is rendered into an info banner without HTML-escaping. This allows arbitrary JavaScript execution in the backend context when an authenticated user visits a crafted link while logged in. This issue has been patched in version 5.20.1.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-11-26
REDAXO is a PHP-based CMS. In Redaxo before 5.18.3, the mediapool/media page is vulnerable to arbitrary file upload. This vulnerability is fixed in 5.18.3.
CVSS Score
5.4
EPSS Score
0.001
Published
2025-03-05
Mediamanager in REDAXO before 5.6.4 has XSS.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-10-09
There is a SQL injection in Benutzerverwaltung in REDAXO before 5.6.4.
CVSS Score
9.8
EPSS Score
0.003
Published
2018-10-09
In REDAXO before 5.6.3, a critical SQL injection vulnerability has been discovered in the rex_list class because of the prepareQuery function in core/lib/list.php, via the index.php?page=users/users sort parameter. Endangered was the backend and the frontend only if rex_list were used.
CVSS Score
9.8
EPSS Score
0.004
Published
2018-10-01
PHP remote file inclusion vulnerability in Redaxo 3.0 up to 3.2 allows remote attackers to execute arbitrary PHP code via a URL in the REX[INCLUDE_PATH] parameter to image_resize/pages/index.inc.php.
CVSS Score
7.5
EPSS Score
0.126
Published
2006-06-06