CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27412 – REDAXO allows Authenticated Reflected Cross Site Scripting - packages installation
https://notcve.org/view.php?id=CVE-2025-27412
05 Mar 2025 — REDAXO is a PHP-based CMS. In Redaxo from 5.0.0 through 5.18.2, the rex-api-result parameter is vulnerable to Reflected cross-site scripting (XSS) on the page of AddOns. This vulnerability is fixed in 5.18.3. • https://github.com/redaxo/redaxo/security/advisories/GHSA-8366-xmgf-334f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27411 – REDAXO allows Arbitrary File Upload in the mediapool page
https://notcve.org/view.php?id=CVE-2025-27411
05 Mar 2025 — REDAXO is a PHP-based CMS. In Redaxo before 5.18.3, the mediapool/media page is vulnerable to arbitrary file upload. This vulnerability is fixed in 5.18.3. • https://github.com/redaxo/redaxo/commit/3b2159bb45da0ab6cfaef5c8cf8b602ee5e2fb37 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-25298
https://notcve.org/view.php?id=CVE-2024-25298
17 Feb 2024 — An issue was discovered in REDAXO version 5.15.1, allows attackers to execute arbitrary code and obtain sensitive information via modules.modules.php. Se descubrió un problema en REDAXO versión 5.15.1, que permite a los atacantes ejecutar código arbitrario y obtener información confidencial a través de module.modules.php. • https://github.com/CpyRe/I-Find-CVE-2024/blob/main/REDAXO%20RCE.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25300
https://notcve.org/view.php?id=CVE-2024-25300
14 Feb 2024 — A cross-site scripting (XSS) vulnerability in Redaxo v5.15.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter in the Template section. Una vulnerabilidad de Cross-Site Scripting (XSS) en Redaxo v5.15.1 permite a los atacantes ejecutar scripts o HTML arbitraios a través de un payload manipulado inyectado en el parámetro Nombre en la sección Plantilla. • https://github.com/WoodManGitHub/MyCVEs/blob/main/2024-REDAXO/XSS.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 3%CPEs: 1EXPL: 2CVE-2024-25301
https://notcve.org/view.php?id=CVE-2024-25301
14 Feb 2024 — Redaxo v5.15.1 was discovered to contain a remote code execution (RCE) vulnerability via the component /pages/templates.php. Se descubrió que Redaxo v5.15.1 contiene una vulnerabilidad de ejecución remota de código (RCE) a través del componente /pages/templates.php. • https://github.com/WoodManGitHub/MyCVEs/blob/main/2024-REDAXO/RCE.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •