CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27412 – REDAXO allows Authenticated Reflected Cross Site Scripting - packages installation
https://notcve.org/view.php?id=CVE-2025-27412
05 Mar 2025 — REDAXO is a PHP-based CMS. In Redaxo from 5.0.0 through 5.18.2, the rex-api-result parameter is vulnerable to Reflected cross-site scripting (XSS) on the page of AddOns. This vulnerability is fixed in 5.18.3. • https://github.com/redaxo/redaxo/security/advisories/GHSA-8366-xmgf-334f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27411 – REDAXO allows Arbitrary File Upload in the mediapool page
https://notcve.org/view.php?id=CVE-2025-27411
05 Mar 2025 — REDAXO is a PHP-based CMS. In Redaxo before 5.18.3, the mediapool/media page is vulnerable to arbitrary file upload. This vulnerability is fixed in 5.18.3. • https://github.com/redaxo/redaxo/commit/3b2159bb45da0ab6cfaef5c8cf8b602ee5e2fb37 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13209 – Redaxo CMS Structure Management Page index.php cross site scripting
https://notcve.org/view.php?id=CVE-2024-13209
09 Jan 2025 — A vulnerability was found in Redaxo CMS 5.18.1. It has been classified as problematic. Affected is an unknown function of the file /index.php?page=structure&category_id=1&article_id=1&clang=1&function=edit_art&artstart=0 of the component Structure Management Page. The manipulation of the argument Article Name leads to cross site scripting. • https://geochen.medium.com/redaxo-cms-5-18-1-cross-site-scripting-7c9a872c72f6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46212
https://notcve.org/view.php?id=CVE-2024-46212
16 Oct 2024 — An issue in the component /index.php?page=backup/export of REDAXO CMS v5.17.1 allows attackers to execute a directory traversal. Un problema en el componente /index.php?page=backup/export de REDAXO CMS v5.17.1 permite a los atacantes ejecutar un directory traversal. • https://github.com/Purposex7/Vulns4Study/blob/main/REDAXO%20File%20Download%20Exploit.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46213
https://notcve.org/view.php?id=CVE-2024-46213
16 Oct 2024 — REDAXO CMS v2.11.0 was discovered to contain a remote code execution (RCE) vulnerability. Se descubrió que REDAXO CMS v2.11.0 contenía una vulnerabilidad de ejecución remota de código (RCE). • https://github.com/Purposex7/Vulns4Study/blob/main/REDAXO%20Cronjobs%20%20AddOns%20RCE.md •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-25298
https://notcve.org/view.php?id=CVE-2024-25298
17 Feb 2024 — An issue was discovered in REDAXO version 5.15.1, allows attackers to execute arbitrary code and obtain sensitive information via modules.modules.php. Se descubrió un problema en REDAXO versión 5.15.1, que permite a los atacantes ejecutar código arbitrario y obtener información confidencial a través de module.modules.php. • https://github.com/CpyRe/I-Find-CVE-2024/blob/main/REDAXO%20RCE.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25300
https://notcve.org/view.php?id=CVE-2024-25300
14 Feb 2024 — A cross-site scripting (XSS) vulnerability in Redaxo v5.15.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter in the Template section. Una vulnerabilidad de Cross-Site Scripting (XSS) en Redaxo v5.15.1 permite a los atacantes ejecutar scripts o HTML arbitraios a través de un payload manipulado inyectado en el parámetro Nombre en la sección Plantilla. • https://github.com/WoodManGitHub/MyCVEs/blob/main/2024-REDAXO/XSS.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 3%CPEs: 1EXPL: 2CVE-2024-25301
https://notcve.org/view.php?id=CVE-2024-25301
14 Feb 2024 — Redaxo v5.15.1 was discovered to contain a remote code execution (RCE) vulnerability via the component /pages/templates.php. Se descubrió que Redaxo v5.15.1 contiene una vulnerabilidad de ejecución remota de código (RCE) a través del componente /pages/templates.php. • https://github.com/WoodManGitHub/MyCVEs/blob/main/2024-REDAXO/RCE.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 10%CPEs: 1EXPL: 2CVE-2021-39459
https://notcve.org/view.php?id=CVE-2021-39459
09 Sep 2021 — Remote code execution in the modules component in Yakamara Media Redaxo CMS version 5.12.1 allows an authenticated CMS user to execute code on the hosting system via a module containing malicious PHP code. Una ejecución de código remota en el componente de módulos en Yakamara Media Redaxo CMS versión 5.12.1, permite a un usuario autenticado del CMS ejecutar código en el sistema de alojamiento por medio de un módulo que contiene código PHP malicioso • https://github.com/evildrummer/CVE-2021-XYZ • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2021-39458
https://notcve.org/view.php?id=CVE-2021-39458
09 Sep 2021 — Triggering an error page of the import process in Yakamara Media Redaxo CMS version 5.12.1 allows an authenticated CMS user has to alternate the files of a vaild file backup. This leads of leaking the database credentials in the environment variables. Una activación de una página de error del proceso de importación en Yakamara Media Redaxo CMS versión 5.12.1, permite a un usuario autenticado de CMS tenga que alternar los archivos de una copia de seguridad de archivos vaild. Esto conlleva a una filtración de... • https://github.com/evildrummer/CVE-2021-XYZ2 • CWE-209: Generation of Error Message Containing Sensitive Information •