SB20260629113 - Multiple vulnerabilities in REDAXO

Description

This security bulletin contains information about 4 vulnerabilities.

1) Input validation error (CVE-ID: N/A)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper input validation in the rex_list component when processing the sort GET parameter for ORDER BY clauses. A remote user can supply a crafted sort parameter to disclose sensitive information.

Error messages can confirm whether referenced columns exist, and query results can be reordered using unselected sensitive columns from the underlying tables.

2) Cross-site request forgery (CVE-ID: N/A)

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to trigger unauthorized package updates.

The vulnerability exists due to cross-site request forgery in rex_api_install_package_update when handling package update requests. A remote attacker can trick an authenticated administrator into visiting a crafted page to trigger unauthorized package updates.

User interaction is required, and exploitation succeeds when an authenticated administrator visits a malicious page with an active session.

3) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary JavaScript in the browser of a backend user.

The vulnerability exists due to cross-site scripting in the mediapool sync page (sync.php) when rendering filesystem filenames from the /media directory into HTML. A remote privileged user can place a file with a specially crafted filename in the media directory to execute arbitrary JavaScript in the browser of a backend user.

User interaction is required to view the Mediapool → Sync page, and the page is accessible to backend users with the media[sync] permission.

4) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting in the mediaIsInUse() function in the media manager addon when rendering a warning message for deletion of a media file referenced by a Media Manager effect. A remote privileged user can store a crafted type name to execute arbitrary script in a victim's browser.

User interaction is required, as the victim must attempt to delete a media file linked to the affected type's effects.

Remediation

Install update from vendor's website.

References

• https://github.com/redaxo/core/security/advisories/GHSA-4f5f-j737-pm58
• https://github.com/redaxo/core/security/advisories/GHSA-m8r3-22v6-g877
• https://github.com/redaxo/core/security/advisories/GHSA-w998-qmw9-mf4m
• https://github.com/redaxo/core/security/advisories/GHSA-mf2p-wjp4-99pq