CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27412 – REDAXO allows Authenticated Reflected Cross Site Scripting - packages installation
https://notcve.org/view.php?id=CVE-2025-27412
05 Mar 2025 — REDAXO is a PHP-based CMS. In Redaxo from 5.0.0 through 5.18.2, the rex-api-result parameter is vulnerable to Reflected cross-site scripting (XSS) on the page of AddOns. This vulnerability is fixed in 5.18.3. • https://github.com/redaxo/redaxo/security/advisories/GHSA-8366-xmgf-334f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27411 – REDAXO allows Arbitrary File Upload in the mediapool page
https://notcve.org/view.php?id=CVE-2025-27411
05 Mar 2025 — REDAXO is a PHP-based CMS. In Redaxo before 5.18.3, the mediapool/media page is vulnerable to arbitrary file upload. This vulnerability is fixed in 5.18.3. • https://github.com/redaxo/redaxo/commit/3b2159bb45da0ab6cfaef5c8cf8b602ee5e2fb37 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18198
https://notcve.org/view.php?id=CVE-2018-18198
09 Oct 2018 — The $opener_input_field variable in addons/mediapool/pages/index.php in REDAXO 5.6.3 is not effectively filtered and is output directly to the page. The attacker can insert XSS payloads via an index.php?page=mediapool/media&opener_input_field=[XSS] request. La variable $opener_input_field en addons/mediapool/pages/index.php en REDAXO 5.6.3 no está filtrada de forma efectiva y se envía directamente a la página. El atacante puede insertar cargas útiles XSS mediante una petición index.php? • https://github.com/redaxo/redaxo/releases/tag/5.6.4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-18199
https://notcve.org/view.php?id=CVE-2018-18199
09 Oct 2018 — Mediamanager in REDAXO before 5.6.4 has XSS. Mediamanager en REDAXO en versiones anteriores a la 5.6.4 tiene Cross-Site Scripting (XSS). • https://github.com/redaxo/redaxo/releases/tag/5.6.4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-18200
https://notcve.org/view.php?id=CVE-2018-18200
09 Oct 2018 — There is a SQL injection in Benutzerverwaltung in REDAXO before 5.6.4. Hay una inyección SQL en Benutzerverwaltung en REDAXO en versiones anteriores a la 5.6.4. • https://github.com/redaxo/redaxo/releases/tag/5.6.4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •