CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18198
https://notcve.org/view.php?id=CVE-2018-18198
09 Oct 2018 — The $opener_input_field variable in addons/mediapool/pages/index.php in REDAXO 5.6.3 is not effectively filtered and is output directly to the page. The attacker can insert XSS payloads via an index.php?page=mediapool/media&opener_input_field=[XSS] request. La variable $opener_input_field en addons/mediapool/pages/index.php en REDAXO 5.6.3 no está filtrada de forma efectiva y se envía directamente a la página. El atacante puede insertar cargas útiles XSS mediante una petición index.php? • https://github.com/redaxo/redaxo/releases/tag/5.6.4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17830
https://notcve.org/view.php?id=CVE-2018-17830
01 Oct 2018 — The $args variable in addons/mediapool/pages/index.php in REDAXO 5.6.2 is not effectively filtered, because names are not restricted (only values are restricted). The attacker can insert XSS payloads via an index.php?page=mediapool/media&opener_input_field=&args[ substring. La variable $args en addons/mediapool/pages/index.php en REDAXO 5.6.2 no está filtrada de forma efectiva, dado que los nombres no están restringidos (solo están restringidos los valores). El atacante puede insertar cargas útiles XSS medi... • https://github.com/redaxo/redaxo4/issues/421 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17831
https://notcve.org/view.php?id=CVE-2018-17831
01 Oct 2018 — In REDAXO before 5.6.3, a critical SQL injection vulnerability has been discovered in the rex_list class because of the prepareQuery function in core/lib/list.php, via the index.php?page=users/users sort parameter. Endangered was the backend and the frontend only if rex_list were used. En REDAXO en versiones anteriores a la 5.6.3, se ha descubierto una vulnerabilidad crítica de inyección SQL en la clase rex_list debido a la función prepareQuery en core/lib/list.php, mediante el parámetro sort en index.php?p... • https://github.com/redaxo/redaxo/issues/2043 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-15850
https://notcve.org/view.php?id=CVE-2018-15850
25 Aug 2018 — An issue was discovered in REDAXO CMS 4.7.2. There is a CSRF vulnerability that can add an administrator account via index.php?page=user. Se ha descubierto un problema en REDAXO CMS 4.7.2. Hay una vulnerabilidad de Cross-Site Request Forgery (CSRF) que puede añadir una cuenta de administrador mediante index.php? • https://github.com/redaxo/redaxo4/issues/420 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 3CVE-2012-3869
https://notcve.org/view.php?id=CVE-2012-3869
13 Aug 2012 — Cross-site scripting (XSS) vulnerability in include/classes/class.rex_list.inc.php in REDAXO 4.3.x and 4.4 allows remote attackers to inject arbitrary web script or HTML via the subpage parameter to index.php. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en include/classes/class.rex_list.inc.php en REDAXO v4.3.x y v4.4 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro 'subpage' a index.php. • http://archives.neohapsis.com/archives/bugtraq/2012-07/0142.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 1CVE-2006-2843 – Redaxo 3.2 - 'INCLUDE_PATH' Remote File Inclusion
https://notcve.org/view.php?id=CVE-2006-2843
06 Jun 2006 — PHP remote file inclusion vulnerability in Redaxo 2.7.4 allows remote attackers to execute arbitrary PHP code via a URL in the (1) REX[INCLUDE_PATH] parameter in (a) addons/import_export/pages/index.inc.php and (b) pages/community.inc.php. • https://www.exploit-db.com/exploits/1861 •
CVSS: 9.8EPSS: 4%CPEs: 2EXPL: 1CVE-2006-2845 – Redaxo 3.2 - 'INCLUDE_PATH' Remote File Inclusion
https://notcve.org/view.php?id=CVE-2006-2845
06 Jun 2006 — PHP remote file inclusion vulnerability in Redaxo 3.0 up to 3.2 allows remote attackers to execute arbitrary PHP code via a URL in the REX[INCLUDE_PATH] parameter to image_resize/pages/index.inc.php. • https://www.exploit-db.com/exploits/1861 •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 1CVE-2006-2844 – Redaxo 3.2 - 'INCLUDE_PATH' Remote File Inclusion
https://notcve.org/view.php?id=CVE-2006-2844
06 Jun 2006 — Multiple PHP remote file inclusion vulnerabilities in Redaxo 3.0 allow remote attackers to execute arbitrary PHP code via a URL in the REX[INCLUDE_PATH] parameter to (1) simple_user/pages/index.inc.php and (2) stats/pages/index.inc.php. • https://www.exploit-db.com/exploits/1861 •